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WHO’S WATCHING THE WATCHDOG? 
EXAMINING FINANCIAL MANAGEMENT 
AT THE SEC 


WEDNESDAY, JULY 27, 2005 

U.S. Senate, 

Subcommittee on Federal Financial Management, 

Government Information, and International Security, 

Committee on Homeland Security 
AND Governmental Affairs, 
Washington, DC. 

The Subcommittee met, pursuant to notice, at 2:32 p.m., in room 
562, Dirksen Senate Office Building, Hon. Tom Coburn, Chairman 
of the Subcommittee, presiding. 

Present: Senators Coburn, and Carper. 

OPENING STATEMENT OF CHAIRMAN COBURN 

Senator Coburn. The hearing will come to order. This is a hear- 
ing of the Federal Financial Management Oversight Subcommittee 
of the Homeland Security and Governmental Affairs Committee. 

The Securities and Exchange Commission (SEC) plays a crucial 
role in ensuring the continued health of the U.S. capital markets 
by administering the Federal laws that govern U.S. securities mar- 
kets. In 2004, the Commission took an aggressive agenda, with the 
implementation of rulemaking projects under the Sarbanes-Oxley 
Act, including supervision of the Public Company Accounting Over- 
sight Board and its regulation of auditors of public companies, such 
as the former Arthur Anderson, PricewaterhouseCoopers, and other 
auditing firms. 

The Commission is expanding its role. For instance, we have 
seen increased promulgation of regulation to identify abuses in the 
mutual fund industry and requiring hedge funds to register. These 
rules have shown the agency’s commitment to maintaining integ- 
rity in the U.S. markets and, more importantly, investor confidence 
within the United States. Without a doubt, the Securities and Ex- 
change Commission has a difficult job, but also a very vital role in 
the U.S. economy. 

I would reference a poster which is their vision statement. It 
would read and note that, in its own words, the Commission “aims 
to be the standard against which Federal agencies are measured.” 
If this is the vision, we have a long way to go. 

Similarly, its rigorous reform agenda, coupled with its ability to 
continue expanding its regulatory role, raises the question of SEC’s 
ability to maintain effective examination and enforcement of the se- 
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2 


curities industry while making necessary internal control changes. 
These goals deserve candid discussion. 

The Accountability for Tax Dollars Act of 2002 expanded the re- 
quirement to conduct annual audits of agencies’ finances from the 
original 24 CFO Act agencies to all Executive Branch agencies in 
the Federal Government. Since then, the SEC has been required to 
prepare and submit to Congress and the Office of Management and 
Budget (0MB) audited financial statements. Fiscal year 2004 was 
the first year SEC prepared its first complete set of financial state- 
ments. 

GAO performed this initial audit, and though the SEC received 
a clean audit opinion on its financial statements, GAO found three 
very significant material weaknesses in the areas of appropriately 
preparing financial statements, keeping track of penalties owed to 
the government and to harmed investors, and finally, an insecure 
information system which makes sensitive data vulnerable. Such 
disturbing audit results are inexcusable for the financial watchdog 
of corporate America. 

I am reminded of the unique indignation you feel when you are 
passed on the highway by a trooper or policeman who doesn’t have 
his lights on and is just going home, or the outrage that America 
felt when a longtime Federal forest ranger started a forest fire that 
destroyed 30 homes and 100,000 acres in Colorado. What I am get- 
ting at here is that those most entrusted with enforcement author- 
ity cannot be above their own standards. Americans will not and 
should not tolerate that sort of hypocrisy. 

In addition, due to poor budgeting, the Commission understated 
by $50 million the cost for new buildings in New York City, Boston, 
and Washington, DC. The original cost estimate for these three 
new buildings, which was estimated in fiscal year 2005, was ap- 
proximately $22 million. In fewer than 3 years, the cost has more 
than tripled. I am also aware that rather than absorbing the cost 
of this budgeting problem, in fiscal year 2006, SEC plans to heap 
the financing burden on these buildings on generations down the 
road. 

Four years ago, the Global Research Analysts Settlement re- 
quired the firms involved to pay $875 million in penalties and 
disgorgement, including $80 million dedicated to investor edu- 
cation. Fifty-two-point-five million of this was supposed to establish 
an investor education fund to develop and support programs de- 
signed to equip investors. While $27.5 million of these monies were 
directed to State securities regulators for investor education, the 
transfer of $52.5 million to the NASD Foundation has raised legal 
questions and I anticipate solid explanations for this decision. 

I look forward in this hearing to find the progress that the SEC 
has already made with regard to strengthening internal controls 
this year. I also look forward to discussing their intent for reform 
of an agency that must maintain shining standards of financial re- 
porting, given the important role that it plays in regulating public 
companies and the U.S. securities market. 

I want to thank our witnesses, the Hon. David Walker, Comp- 
troller General of the United States, and James McConnell, for 
being with us. 
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David M. Walker has been Comptroller General of the United 
States since November 1998. He serves as the Nation’s chief ac- 
countability officer and head of the U.S. Government Account- 
ability Office. Mr. Walker has extensive executive-level experience 
in both government and private industry. He is a Certified Public 
Accountant, has a degree in accounting from Jacksonville Univer- 
sity and a Senior Management in Government Certificate in Public 
Policy from the John F. Kennedy School of Government at Harvard 
University, as well as honorary degrees in both business and public 
service. 

Jim McConnell, Executive Director of the Securities and Ex- 
change Commission, is our second witness. Mr. McConnell was ap- 
pointed Executive Director of the U.S. Securities and Exchange 
Commission in October 1990. Prior to his role as Executive Direc- 
tor, Mr. McConnell served as the Commission’s Chief Management 
Analyst, where he was primarily responsible for preparation of the 
agency’s budget and authorization request, as well as the agency’s 
internal control program. Today, as Executive Director, he is re- 
sponsible for achieving efficiency and economy in the Commission’s 
operations as well as for developing and executing overall manage- 
ment policies within the policy framework established by the 
Chairman. In 1991, Mr. McConnell received the Chairman’s Award 
of Excellence, recognizing his performance in improving the man- 
agement and budget operations of the SEC. Prior to joining the 
Commission, Mr. McConnell worked at the Department of Labor, 
where he received a Distinguished Career Service Award, that 
agency’s highest honor. He holds a B.S. in business administration 
from Virginia Tech. 

I would like to thank each of you for being here. General Walker, 
if you would start. Your written testimony will be made a part of 
the record and we won’t have any time limits. 

TESTIMONY OF HON. DAVID M. WALKER, i COMPTROLLER GEN- 
ERAL OF THE UNITED STATES, U.S. GOVERNMENT ACCOUNT- 
ABILITY OFFICE 

Mr. Walker. Thank you, Mr. Chairman. It is good to be back be- 
fore this Subcommittee today to talk about the results of our first 
audit of the Securities and Exchange Commission for the fiscal 
year ended 2004. 

As you noted in your opening statement, this was the first ever 
audit of the Securities and Exchange Commission, which resulted 
from recent legislation that expanded the audit requirements that 
previously applied to most major Federal Government agencies. I 
think it is important to note that our report was issued on May 26, 
2005. It has been made available to you as well as to the public. 

There were mixed results from that initial audit. First, the SEC 
did earn a clean opinion on its financial statements. That is quite 
an accomplishment. The fact of the matter is that most of the agen- 
cies in the Eederal Government who undertook their first audit did 
not earn a clean opinion the first time out. 

At the same point in time, as you properly pointed out, the SEC 
plays a critically important role with regard to the securities mar- 


^The prepared statement of Mr. Walker appears in the Appendix on page 25. 
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kets and also with regard to overseeing the public accounting pro- 
fession through the Public Company Accounting Oversight Board 
(PCAOB). Therefore, it is important that the SEC lead by example 
with regard to its own financial management activities. 

While the SEC received a clean opinion on its financial state- 
ments, it received an adverse opinion on internal control. There 
were three material control weaknesses which we highlighted, the 
first dealing with preparing financial statements and related dis- 
closures; the second dealing with recording and reporting of 
disgorgements and civil penalties; and the third dealing with infor- 
mation security. 

It is important to note that these weaknesses were as of the date 
of our opinion. SEC management and leadership has agreed with 
the vast majority of our recommendations, and they have taken a 
number of steps to try to address these recommendations. Further- 
more, it is also important to note that there are a number of other 
Federal agencies that have similar material control weaknesses, es- 
pecially with regard to information security. 

But as you pointed out in your opening statement, the SEC has 
a very visible and prominent role in promoting and enforcing ac- 
countability for corporations whose equity and debt instruments 
are traded on our securities markets, and therefore, it is critically 
important that it lead by example. 

In its 2004 Performance and Accountability Report, SEC leader- 
ship noted its intention to do so and to try to serve as a model for 
other Federal agencies. I believe that they were sincere when they 
made that commitment. I know that they are taking steps to try 
to deliver on that. But that is not going to be accomplished over- 
night. 

Mr. Chairman, it is important for the SEC to lead by example 
for a variety of reasons, not just to make sure that we have proper 
accountability over these funds, but also to maintain the credibility 
of the agency, given its mission, and to make sure that its regu- 
latory enforcement activities have full force and effect not only in 
law, but also in substance and as they are viewed by those that 
they regulate to. 

Last thing, there are two issues that I would like to raise for 
your attention that I think are noteworthy, one of which is the fact 
that if you look at the SEC’s financial statements, which I am sure 
you have, you will see there is about a $4 billion balance with the 
Treasury. Of that $4 billion balance with the Treasury, about $3 
billion of that represents the accumulated positive results of oper- 
ations for the SEC throughout its history. This is shown as a re- 
stricted asset on the balance sheet of the SEC. It is eliminated in 
consolidation when you come up with the consolidated financial 
statements of the U.S. Government, but as you probably noted, Mr. 
Chairman, those funds are not available for use by the SEC unless 
the Congress appropriates such funds. It has done so on occasion 
in the past. I believe at least once in the past. This amount also 
serves to note that these has been a self-sustaining organization 
over many years. However, there are ongoing discussions and de- 
bate about whether and to what extent the current accounting 
treatment should be continued in the future. 
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Second, I would also note that of the roughly $4 billion that was 
held by the Treasury as of the end of last fiscal year, that $863 mil- 
lion represented two fiduciary funds from disgorgements that were 
being held for the benefit of others. Up until November 2004, those 
funds were not earning any interest. They were not invested ac- 
tively. They were just in an account of the Treasury. While reason- 
able people can debate about who should invest it and how they 
should be invested, I believe that since these are fiduciary funds, 
it is important that they be invested for the benefit of those who 
would ultimately receive payment. 

I thank you, Mr. Chairman. I look forward to hearing from my 
colleague here today at the panel and answering your questions 
thereafter. 

Senator Coburn. Thank you. General Walker. Mr. McConnell. 

TESTIMONY OF JAMES M. McCONNELL,i EXECUTIVE 

DIRECTOR, U.S. SECURITIES AND EXCHANGE COMMISSION 

Mr. McConnell. Thank you. Chairman Coburn. My name is Jim 
McConnell. I am the Executive Director of the SEC. The views I 
express today are my individual views and do not necessarily re- 
flect the views of the Commission or the commissioners, including 
the acting chairman. 

I appreciate the opportunity to testify today about the SEC’s au- 
dited financial statements and facilities budget estimates. Given 
the SEC’s regulatory responsibilities, it is critical that the agency 
maintain strong financial management practices and that we use 
our funds efficiently and effectively. 

Like many private companies, the SEC has invested tremendous 
time and energy on our financial management practices and inter- 
nal controls. As the regulator overseeing the financial markets and 
the accounting industry, it is entirely appropriate that we do so. As 
you know, these efforts have uncovered some weaknesses that we 
are working aggressively to resolve. 

Although the audit and internal controls program have presented 
challenges, we believe that the process will pay dividends in the 
form of stronger and more effective financial management at the 
SEC and as an important government-wide initiative. 

I would like to begin by discussing the first ever audit of the 
SEC’s financial statements. The release of our fiscal year 2004 Per- 
formance and Accountability Report in May was the culmination of 
2 years of hard work by Commission staff and our GAO auditors. 
I want to thank them all for their efforts. 

The good news is that the GAO found that our financial state- 
ments were presented fairly in all material respects, in conform- 
ance with U.S. Generally Accepted Accounting Principles. Clean fi- 
nancial statements are quite an achievement for a first-time audit. 
When the 24 major Federal agencies began issuing audited finan- 
cial statements in 1996, only six received unqualified opinions on 
their first audit and many agencies still have not achieved unquali- 
fied opinions. 

The GAO also performed an audit of the SEC’s internal controls 
over financial reporting and the report concluded that our controls 


^The prepared statement of Mr. McConnell appears in the Appendix on page 43. 
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in three areas were not fully effective. Specifically, the report iden- 
tified material weaknesses in the areas of recording and reporting 
of disgorgements and penalties, preparing financial statements, 
and information technology security. Two of these weaknesses, IT 
security and disgorgements and penalties, are weaknesses that the 
agency has been working on for some time and that have been re- 
ported previously under the Federal Managers Financial Integrity 
Act. 

The first material weakness relates to the controls over our ac- 
counting for disgorgements and penalties ordered by courts as a re- 
sult of SEC enforcement actions. While the judgments awarded by 
the courts are for specific amounts, the collection is frequently un- 
certain and requires efforts over a period of years. Let me empha- 
size that all fines and penalties are accounted for and no payments 
have been lost. Instead, the GAO found that the SEC did not have 
a sufficiently comprehensive policy governing the accounting for 
these amounts and found inadequate internal controls in the proce- 
dures and systems for recording of judgments and the allowance for 
uncollectible accounts. 

The GAO found a second material weakness related to the SEC’s 
internal controls over the process for preparation of financial state- 
ments. This was the SEC’s first audit and the procedures used to 
prepare our statements involved significant manual effort by SEC 
staff. As a result, the policies, practices, and procedures had not 
been fully documented and integrated into the agency’s operations. 

Einally, GAO’s audit confirmed weaknesses in the SEC’s infor- 
mation technology security that had been reported in prior years 
through our EMFIA program. These weaknesses include insuffi- 
cient access controls, network security, and monitoring of security- 
related events. However, I should also note that GAO found we had 
taken the right set of initial steps to address the weaknesses, in- 
cluding hiring a new Chief Information Security Officer and estab- 
lishing a centralized security management program. 

Because of the SEC’s regulatory role, we believe the agency must 
lead by example through handling of internal control weaknesses. 
Just as with private companies, we believe it is critical to forth- 
rightly disclose our weaknesses and work to mitigate them as com- 
pletely and quickly as possible. Eull disclosure is entirely appro- 
priate for the Federal sector as it is for the private sector. 

With respect to our facilities budget estimates, and as you know, 
the SEC recently discovered it had underestimated tenant build- 
out costs for new agency facilities in Washington, New York, and 
Boston by about $48 million over the next 3 years. These areas are 
serious and reveal the need to improve our facilities management 
and budget planning functions. However, I should note that there 
have been no cost overruns on existing contracts. These mistakes 
pertain to estimates of future cost. Also, the SEC will be able to 
deal with these costs within existing funding levels and has sub- 
mitted a reprogramming request that will correct our budget allo- 
cations. As you know. Representative Wolf has asked the GAO to 
review the actions that led to this change in estimates and the ac- 
tions the SEC has taken in response and we welcome their involve- 
ment. 
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The SEC has taken action to rectify the conditions that led to 
these project management and budget planning failures and ensure 
they do not recur. The agency has removed several staff from these 
projects, added new project staff, and is working to strengthen our 
budgetary formulation, internal controls, and oversight capabilities. 
Among other improvements, the SEC recently created several new 
budgeting and project oversight positions in administrative services 
and added budget formulation staff in our Office of Financial Man- 
agement. The SEC is also planning a new budget formulation activ- 
ity-based costing system that will greatly enhance the quality and 
timeliness of the data related to our administrative and operational 
costs. 

We believe that strengthening our internal controls and financial 
management practices will have significant benefits for the SEC 
and will allow us to be more effective in fulfilling our mission to 
protect investors. 

I would like to thank the Subcommittee for your interest in and 
commitment to these important topics. I would be happy to answer 
any questions. 

Senator Coburn. Thank you very much for your testimony. 

General Walker, are there specifics outside what Mr. McConnell 
mentioned in terms of the recording and reporting disgorgements? 
I mean, how is it that you don’t account for those? How is it pos- 
sible that you don’t have a system to properly account for that? 

Mr. Walker. I think what is fair to say, Mr. Chairman, is that 
the amount of disgorgements has increased dramatically in the re- 
cent years because of some of the failures in the private sector. One 
of the things that we found in this and a couple of the other areas 
which resulted in material control weaknesses was that there was 
a lack of comprehensive and documented policies and procedures 
with regard to how to handle these matters. 

There were also issues with regard to our dated and non-inte- 
grated information systems that need to be addressed, and part of 
this was exacerbated by the fact that, due to the increased activity 
with regard to disgorgements in the last several years, it was quite 
a challenge for the SEC staff to deal with that increased vol- 
ume — 

Senator Coburn. But what you are really saying is they didn’t 
have good systems and control to begin with, because had they had 
the systems in, even with increased volume, if you have a system 
in, you are going to be able to handle it. 

Mr. Walker. That is correct, and they are taking steps to docu- 
ment their policies and procedures, deal with the staffing issues, 
and provide for enhanced responsibility and accountability. Ulti- 
mately, they are going to have to do some more on the systems 
side, but that is going to take more time. 

Senator Coburn. In your testimony, you listed 13 actions that 
the SEC could take in order to improve controls over the financial 
reporting process. In their response to your statement, the SEC 
stated they plan to increase their financial reporting staff and for- 
malize policies and procedures, much as what you had rec- 
ommended. Are you aware of the progress the SEC has made on 
any of these recommendations? 
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Mr. Walker. They have made some progress. I think one of the 
SEC’s biggest challenges right now, is the agency is in a time of 
transition. As you know, Chairman Donaldson has now left the 
SEC. We have the pending confirmation of Congressman Cox as 
the President’s nominee to serve as Chairman. I think one of the 
biggest challenges with regard to a number of these recommenda- 
tions is to make sure that the SEC’s leadership continues to be 
committed to these types of changes and continues to hold people 
responsible and accountable for making progress on these various 
recommendations. So yes, they are making progress, but it is this 
transition in leadership that is probably the biggest risk at the 
present point in time. 

Senator Coburn. Should the SEC, given the onus of their re- 
sponsibility in terms of all the other markets, all the other people 
whose debt and equity trade in this country who have to have out- 
side audited financial statements, should they be subjected to the 
same groups that audit their customers? In other words, why 
wouldn’t we want a PricewaterhouseCoopers doing the audit at 
SEC? 

Mr. Walker. With all due respect, Mr. Chairman, I would sug- 
gest several things. First, we do as good or better of an audit than 
one might be able to obtain from one of the private sector firms. 

Second, there are certain potential conflicts that would exist if 
one of the major private sector firms were to do the audit for the 
Securities and Exchange Commission. As you know, the SEC has 
to oversee the PCAOB, the Public Company Accounting Oversight 
Board, which has the responsibility to oversee the major accounting 
firms, and so the SEC was rightly concerned about a potential con- 
flict of interest. 

I also would note, Mr. Chairman, that to the SEC’s credit, while 
they are not required under current law to obtain an opinion on 
their internal accounting control system dealing with financial re- 
porting, that is a standard practice we perform for the entities we 
audit, even though it is not required by law. We conferred with 
SEC management and they agreed that would be an appropriate 
thing to do for the SEC. Frankly, not just because it passes a cost- 
benefit test, but because of the issue that you talked about before, 
to lead by example and to demonstrate that they are subjecting 
themselves to the same type of audit procedures that those they 
oversee and regulate are subjected to. 

Senator Coburn. Mr. Walker, are you aware of a time estimate 
that SEC has given to implement a new system as far as the 
disgorgements and the control of those? In the meantime, what can 
SEC senior management do to mitigate the risks related to the sys- 
tems and data and penalties for payments and disgorgements? 

Mr. Walker. We have made a number of specific recommenda- 
tions, Mr. Chairman, as to things that we think they should do, 
many of which are outlined in my detailed testimony. Several re- 
late to interim steps recognizing that building this new integrated 
system is going to take some time. Therefore, there are interim 
steps that need to be taken to provide for enhanced controls in the 
interim. 

Mr. McConnell may have a better answer on when they expect 
to be done. 
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Mr. McConnell. We expect to have each of these internal con- 
trol weaknesses fixed in 2006, for that audit. 

Senator Coburn. So that is the audit for fiscal year 2006? 

Mr. McConnell. That is the audit for fiscal year 2006. 

Senator Coburn. So it won’t be fixed when you are audited this 
year? 

Mr. McConnell. That is correct. 

Senator Coburn. OK. I think you should be congratulated for the 
accomplishment of getting a clean audit as far as your numbers. 
That is a hard thing to do. 

Describe for me the sources of SEC’s funding and what happens 
to the surplus. General Walker talked about the $4 billion surplus 
that you paid into the Treasury, of which 25 percent is roughly 
money waiting to go back out in terms of penalties or disgorge- 
ment. What is the source of the funds? 

Mr. McConnell. We are an appropriated agency. Our appropria- 
tion, however, is entirely offset by the fees that we collect. Let me 
give you an example, for fiscal year 2006, the budget that we are 
working on now, we estimate that we will collect $2.1 billion in 
fees. Those fees go to the general fund of the Treasury and are ac- 
cumulated in an account in our name. We are then appropriated 
through the regular, normal appropriations process, and our appro- 
priations for 2006 is right now intended to be $888 million. 

Senator Coburn. Eight-hundred-and-eighty-eight million. 

Mr. McConnell. So the remainder of that $2.1 billion is then 
available for — it offsets the entire CJS appropriation and is avail- 
able, then, to use elsewhere. But the money that we get is actually 
subtracted from the amount and the remainder is held in that ac- 
count. 

Senator Coburn. Right. 

Mr. Walker. They reduced the deficit, Mr. Chairman. 

Mr. McConnell. Yes. 

Mr. Walker. Last year, they reduced the consolidated deficit of 
the U.S. Government by, on an accrual basis, by about $575 mil- 
lion. 

Senator Coburn. And if they are more transparent, more results 
oriented, more competitive oriented, more priority setting oriented, 
more responsive and more spending discipline, they can increase 
that. That is what I am after. It is great that they are there, but 
they are in a position with which they collect a lot of money based 
on the fact that people aren’t doing the right things. 

The interesting thing would be is what would your budget be net 
of appropriations if we had 100 percent compliance and we didn’t 
see the fines and penalties that were coming. 

Mr. McConnell. What would our budget be in 

Senator Coburn. In other words, there wouldn’t be any net dif- 
ference. In other words, you would be appropriated what you need- 
ed if there, in fact, were not compliance fines and penalties. 

Mr. McConnell. I think maybe I have confused things here. The 
fees that we collect I am talking about are transaction fees on ex- 
changes and the registration of securities. That $2.1 billion has 
nothing to do with fines and disgorgements. That is a total sepa- 
rate amount. 
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Senator Coburn. Right. But there are penalties, though, that go 
into that, is that not correct? 

Mr. McConnell. Well, yes. Those are the result of enforcement 
actions. None of those monies are available to the SEC or to the 
Federal Government at all for the purpose of appropriations. 

Senator Coburn. So when we talk about you are going to collect 
through fines, penalties, assessments, and fees in excess of $2.1 bil- 
lion — 

Mr. McConnell. It is actually more than that. 

Senator Coburn. OK. 

Mr. McConnell. The $2.1 billion is strictly the amount we col- 
lect in fees placed upon transactions on exchanges or public compa- 
nies registering securities. 

Senator Coburn. OK. The penalties and fines 

Mr. McConnell. The fines, penalties, and disgorgements, you 
can’t anticipate exactly what they are going to be, but $800 million, 
let us say, is a number that I think is currently in the Treasury 
accounts. So that is a totally separate amount. They are not addi- 
tive for purposes of appropriation 

Senator Coburn. Right, and they are set aside. 

Mr. McConnell. Yes. 

Senator Coburn. All right. 

Mr. Walker. Basically, Mr. Chairman, just to reiterate, the fines 
and penalties go directly to the Treasury and, therefore, they don’t 
affect the appropriated amounts for the SEC. These amounts serve 
to directly reduce the Federal deficit and related public debt needs. 

Senator Coburn. Transaction fees, the tax on every time I buy 
a stock 

Mr. Walker. That is exactly right. 

Senator Coburn [continuing]. Comes in at $2.1 billion. 

Mr. Walker. When you get your confirmation statement, you of- 
tentimes see a little SEC 

Senator Coburn. I have seen it. I have seen it. [Laughter.] 

Senator Coburn. Let me defer to Senator Carper, our Ranking 
Member, for a statement and I will let you ask questions. 

OPENING STATEMENT OF SENATOR CARPER 

Senator Carper. Thanks very much. Gentlemen, welcome. How 
are you? 

Mr. Walker. It is good to see you. Senator. 

Senator Carper. It is good to be here. First, I will just start with 
a short statement. 

In addition to the responsibilities that I share here with Dr. 
Coburn, I also serve on the Senate Banking Committee and I know 
fairly well, then, that we have given the SEC a big job, a couple 
of big jobs to do in the last several years in trying to make sure 
that firms in the private sector are more accountable and live up 
to the standards that we have established in a wide variety of 
areas. 

I am really pleased that given that role — and the hearing today 
is to hold the SEC accountable — ^but also to recognize that you are 
holding yourselves accountable, and GAO’s audit of you would seem 
to suggest that is the case. 
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Based on what I have been able to learn so far, it appears that 
the SEC is doing about as well as could be expected at this point 
in time. I think we passed the law in 2002 that added the SEC to 
the list of agencies that had to be audited and I think you went 
through your first one in 2004 and came away with a qualified 
audit. I think you are to be commended for that. I think I heard 
Dr. Coburn commending you all already. 

I would just note that I think that some other agencies — every 
now and then, you hold a hearing and the idea is to put a spotlight 
on folks that aren’t doing their job very well and that could do a 
whole lot better. In this case, this hearing is really more akin to 
putting a spotlight on folks who have done a good thing and to, 
rather than to say, get on the stick, just to say we are glad that 
you are providing a good model for others. Everything we do, we 
can always do better, but I think what you have done is certainly 
commendable. 

We have actually had some discussion on the issue of improper 
payments at an earlier hearing. I think General Walker was here 
for the discussion on one of those. I think it is about $45 million, 
is the number that we have heard, mostly in overpayments, in 
some cases underpayments, but that is what we are told at least 
is the magnitude of the problem. I would like to learn, maybe be- 
fore we leave today, from the SEC about how you feel you have 
benefited from GAO’s audit of your internal controls and, if pos- 
sible, to explore whether other agencies might benefit from a simi- 
lar kind of audit. 

Agencies need to have the internal capability to detect and to 
prevent improper payments before they happen, but it is my under- 
standing that most don’t receive audited opinions of their internal 
controls, and as a result, they don’t have maybe as good a sense 
of how well they are doing on that score. 

As far as I can tell, the SEC doesn’t have a problem with respect 
to improper payments, but I would just note for the record again 
that every dollar that is spent unwisely, whether it is accidentally 
or fraudulently misspent, is one more dollar that is taken away 
from a worthwhile program or that could go back to our taxpayers. 

With that having been said, let me just ask a couple of questions, 
maybe one or two for General Walker and then maybe a question 
or two for you, Mr. McConnell. 

Let us talk about the scope of the audit that was done at the 
SEC, if we could. The scope of the audit included internal controls, 
and as I said earlier, as far as I know, neither the SEC nor other 
agencies are required under the law to have an independent audit 
of their internal controls. In fact, I think the only major problem 
that you found at the SEC may have centered on internal controls. 

How could the kind of internal control audits that you conducted 
at the SEC help other agencies to detect and to prevent improper 
payments? 

Mr. Walker. Senator, you are correct in noting that the SEC is 
not required by law to have an audit dealing with its system of in- 
ternal accounting control and to have an opinion expressed by its 
external auditor. In our case, we do that on every entity that we 
audit. We proposed that when the SEC approached us about doing 
their audit. We helped them understand what we felt the benefit 
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was, including reducing the possibility of improper payments, but 
in addition to that, to provide reasonable but not absolute assur- 
ance to help facilitate economy, efficiency, and effectiveness as well 
as the fair reporting of financial information. The SEC agreed. 

My personal view is that requiring an audit on the system of in- 
ternal accounting control is not something that makes sense for 
every government audit. However, I think there are circumstances 
based upon value and risk, and one of the factors that might be 
considered is the possibility of improper payments where it does 
make sense to have an audit of the system internal accounting con- 
trols. But I believe that should be something that should be done 
on a facts and circumstances basis rather than saying every gov- 
ernment agency should automatically have to do that. 

Senator Carper. I think you said on the basis of facts and risks? 
Talk a little bit about that 

Mr. Walker. Value and risk. 

Senator Carper. Value and risk? 

Mr. Walker. In other words, how much money is involved? What 
is the potential for abuse? To what extent has work been done to 
ascertain the likelihood of improper payments or other types of ac- 
tivities that one could seek to effectively avoid through having a 
stronger system of internal accounting controls? 

This is an element that needs to be more directly considered, and 
one of the things that I have asked for the Joint Financial Manage- 
ment Improvement Program Principals to address, namely the Sec- 
retary of the Treasury, that Director of 0MB, myself, and the head 
of 0PM. Specifically, that group will discuss whether and under 
what circumstances Federal Government agencies should be re- 
quired to have an opinion on their system of internal accounting 
controls. This is an active topic and I hope that we can gain some 
consensus among that group. 

It could be done, arguably, without legislation if 0MB decided 
that it was something that should be done. We can report back to 
you on what the progress is on that if you would like. 

Senator Carper. Give me some idea what the time line might be 
for doing that. 

Mr. Walker. I have asked for a meeting of the principals to be 
held within the next 2 months. I don’t know if it has been sched- 
uled or not yet. From a practical standpoint, if this was going to 
be required, it would be for next year’s audit, not this year’s audit, 
if a consensus can be reached. 

Senator Carper. Sure. 

Senator Coburn. Are the firms that the SEC oversees, are they 
not required to have in their audit opinion their internal controls? 

Mr. Walker. Sarbanes-Oxley requires public companies to un- 
dergo an audit of their system of internal accounting controls relat- 
ing to their financial reporting requirements, and so, yes, public 
companies are required to obtain such an opinion. However, private 
companies are not, not-for-profit entities are not, and government 
agencies are not at the present point in time. 

Senator Carper. A follow up to this issue of internal controls. 
With respect to the recommendations and your findings at the SEC 
and any recommendations that you may have made, how were they 
received by the SEC, and I would ask both of you to answer. 
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Mr. Walker. I would echo the comments that were made earlier. 
Specifically, there was a serious and sustained undertaking for 2 
years to achieve the results for this first audit by the SEC staff as 
well as the GAO staff. Top management at the SEC took this very 
seriously, and that goes right up to former Chairman Donaldson. 
He understood that this was an important issue and there was a 
need for the SEC to lead by example in this regard. I believe he 
took it very seriously. 

The SEC’s response to our recommendations has generally been 
very positive. The key now is to make sure that continues through 
the transition in leadership. As you know, there is a pending tran- 
sition in leadership at the SEC. My understanding is, under the 
statute, it is the chairman who has the responsibility and authority 
for these types of matters. So the chairman’s commitment is key 
to continued progress in this area. 

Senator Carper. Mr. McConnell, do you want to add anything to 
that? 

Mr. McConnell. Yes. It is really part of the fiber of the SEC to 
have undertaken an internal control audit. We would never have 
considered doing otherwise. In speaking with GAO at the outset of 
this undertaking, it sounds trite, but we really do want to be the 
gold standard. We want to have all these boxes checked and we ex- 
pected their audit to treat us as if we should be the gold standard 
and we wanted them to give us everything. We view the findings 
that they submitted to the SEC as a way in which we can achieve 
that and we intend to do so. 

We think it has been an incredibly valuable experience. Person- 
ally, I have just been very pleased with the response throughout 
the agency to a recognition that these material weaknesses and the 
financial audit that we undertook is among the highest priorities 
the agency has. 

Senator Carper. One last question, if I could, for you, Mr. 
McConnell, and the question is about your budgeting related to the 
construction of your new headquarters. If you all have already got- 
ten into this, just tell me, but I appreciate your honesty about it 
and your efforts to address the cause of these concerns. 

It seems to me that the problem is related to what may be a com- 
munications breakdown almost. What I am told is that may have 
occurred. Let me just ask, what steps have been taken to ensure 
that the lines of communication between folks on your staff, the 
SEC staff who are working on projects like this, and those in your 
budget office, to make sure that those lines of communication are 
open? 

Mr. McConnell. We have done a number of things already and 
additional items are planned. Basically — and communications is a 
good way to put it. It is absolutely essential that the needs that 
we provide funds for throughout the agency, the administrative 
needs, the support and management needs, start with good commu- 
nications from the programs so that we know exactly — and we are 
working in that area — what the programs need, so that in enforce- 
ment, in market regulation, in investment management, we have 
dedicated people — and we are dedicating those people now — to 
identifying their needs. And then they come to administrative serv- 
ices and we have the people there that will understand their needs. 
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work with them, and turn them into budget estimates for supplies, 
materials, buildings, whatever it is they need. 

Then the administrative services people have to have the ability 
to analyze budgets. They haven’t had that in the past and they are 
going to have that now. We have put a branch together that will. 
So it is not just an accumulation function of everybody’s wants and 
needs. It is communication and gathering information, but then it 
is analyzing and understanding it. 

And we also intend to have our Financial Management office 
beefed up to have similar oversight capabilities. So it is an iterative 
process of asking questions about budget estimates, what they 
need, and are these meeting their needs. 

And then when it comes to the top of the agency, we will have 
the ability to really see the record, know who did what, who was 
responsible, and that they, in fact, did the job and will understand 
fully the entire process from beginning to end for how those budget 
estimates were developed. 

Senator Carper. Could I ask maybe one more? 

Senator Coburn. Sure. 

Senator Carper. Thanks. I understand that the Secretary has 
known for some time about some of the information security prob- 
lems at the agency that GAO has, I believe, now highlighted. I also 
understand that you hired someone fairly high-ranking with the re- 
sponsibility of tackling those problems and developing some, I 
guess, agency-wide security guidelines. What I would like to ask is, 
why has the problem been such a difficult one to tackle and can 
you just give us some idea what this new person, this new official 
is supposed to do to assure that the secure financial information is 
protected from tampering or from some other kind of potential 
problems? 

Mr. McConnell. Information system security is, I think as Mr. 
Walker indicated, a government-wide problem. Every agency is 
grappling with how to make sure its systems meet the test that 
has currently been established for information security. That is 
part of the issue. This has been a developing area. It is not a 
science, but it is a developing sort of a regimen for how security 
ought to be employed in each agency. 

So each year, it has improved. We understand better how to 
make things secure, what level of security you ought to achieve. So 
it has been very hard to keep up with that. I think that now we 
have had a maturation of sort of the security posture that agencies 
ought to be and we really know very well what we have to achieve 
and how to get there. 

The new person we have brought in, we are very enthusiastic 
about. She loiows how to do it. She has done it in the private sector 
and we are very enthusiastic that we have both the people now, we 
have the resources. As a member of the Banking Committee, you 
know fully well that we have had substantial funding increases, in 
large part due to Sarbanes-Oxley. So we have had the resources to 
apply to this problem and I think we have the right kind of plans 
in place to get there. We are confident that in 2006, we can achieve 
eliminating this as a material weakness. 

Senator Carper. Mr. Walker, do you want to add anything? 
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Mr. Walker. Yes, if I can, Senator, just to reinforce, this is a 
government-wide high-risk area. It is an area that we believe the 
SEC is taking seriously. I would note that there are a number of 
major departments and agencies that have a similar challenge, in- 
cluding some of the largest ones in government, like the Depart- 
ment of Defense, the Department of Homeland Security, etc. But 
I believe that they are on the case. 

Senator Carper. Great. Gentlemen, thank you very much. 

Senator Coburn. Mr. McConnell, I want to go back for a minute 
to a couple of things. I am trying to figure out the relationship be- 
tween your office and the Chairman. You have been there since 
1990, 15 years. You have had administrative responsibility for this 
agency that entire time. How is it that you can have a $50 million 
overrun on buildings and you not be aware it has happened? How 
does that happen? Chairman Donaldson had his performance dash- 
boards in there. Are they not working? They don’t work? Is some- 
body not talking to anybody? 

Either this system was gamed or somebody is totally incom- 
petent. It is one of those two. You can’t be $29 million off on a $5 
million building. You can’t be $17 million off on a $14 million build- 
ing. And you can’t be $8 million off on a $2 million building. How 
does something like that happen? 

Mr. McConnell. Well, first, maybe I should deal with the num- 
bers first. We have been interacting with your staff on these and 
it is a fairly complicated situation. We are talking about four dif- 
ferent sites over multi-year periods. It actually started in 2002 and 
extends out to 2007. The costs that you are identifying here are ac- 
tually those that are mostly associated with what we are trying to 
achieve with respect to our reprogramming in 2005 and some of the 
actions we need to take in 2006 to finish up these projects. 

Senator Coburn. Well, but reprogramming is another word for 
taking money from somewhere else to use in a different direction. 
Is that true, that the original 2005 estimate on the New York City 
building was $5 million? 

Mr. McConnell. That is not correct. 

Senator Coburn. What was the original estimate? 

Mr. McConnell. Well, there actually was no original estimate 
for the New York City build-out. 

Senator Coburn. So we built a building without an estimate? 

Mr. McConnell. We obtained a new leasehold in New York that 
was going to require a build-out, but there was a mistake made, 
and competency is clearly an issue here. 

Senator Coburn. What was the mistake? 

Mr. McConnell. A mistake was made that — it was an omission 
in developing estimates for how much money we needed to build 
out new leaseholds in New York City. We were moving from one 
building to another. During that transition, that cost was not esti- 
mated. The $5 million cost is, in fact, what was needed to repay 
our former tenant for build-out work that we were going to be 
doing there. 

Senator Coburn. So what was the 2005 true estimate for the 
New York City building? 

Mr. McConnell. At the time that the 2005 budget submission 
was made, there was no estimate for the build-out 
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Senator Coburn. When you all made the decision to go ahead 
and said, we are going to do this, what was the estimate? 

Mr. McConnell. Well, that is the point. The decisions were 
made to go ahead, but the lease wasn’t actually signed until March 
and these budget estimates were done in February. At the time 
these budget estimates were done in December — excuse me — no 
number was put in for tenant improvement work for the new lease 
for our new space in New York. It was an omission. 

Senator Coburn. OK. Did somebody know a number at some 
time before now? 

Mr. McConnell. We only this spring have developed numbers, 
and those numbers are what is reflected in our reprogramming re- 
quest and the budget estimates we are currently working on. 

Senator Coburn. Would you tolerate that from somebody you 
regulate? 

Mr. McConnell. I am not tolerating it from the SEC at all. 

Senator Coburn. Let me ask you about the reprogramming, be- 
cause you are financing this at 9 percent? 

Mr. McConnell. Well, there are two items here. Any time you 
do tenant improvement work for your leaseholds, you have a build- 
out, you can do that either of two ways. You can amortize it with 
your rent, which is the common practice, or you can pay for it up 
front in a one-time payment. 

The SEC generally tries to do a combination because it does 
lower your out-year costs and it is somewhat more efficient. You do 
borrow that money essentially at 9 percent from a building owner 
to have that tenant improvement allowance as part of your lease. 
You also borrow it from the government when you initially make 
an up-front payment. That is right now about 5.5 percent. So it is 
somewhat more expensive to extend those costs out. That is the 
common practice 

Senator Coburn. But why would we spend more money to do 
that, especially when you all have reserve funds that you could 
come to the Congress and say, we would like to use these — you are 
talking 3.5 percent on $69 million in total, which over the life of 
the lease is a lot of money. Why would we not opt to save that 
money for the American taxpayer? 

Mr. McConnell. Well, it is two questions. We did approach our 
appropriations staff about the possibility of adding monies for our 
2005 budget. That was not possible at the time. In the reprogram- 
ming, we clearly identified two different options, either do it up 
front or we can do it through an amortization, which is the normal 
way of doing it. It is a standard practice to have as part of your 
lease the costs of tenant improvement, because then you pay for 
those tenant improvements over the course of the life of the lease. 

Senator Coburn. Is that standard practice in GSA? 

Mr. McConnell. It is. In fact, GSA has the clauses for these 
types of 

Senator Coburn. So it is standard practice when we have money 
sitting in the Treasury or we can borrow from ourselves at, right 
now, 30-year notes under 6 percent — it is five-point-some-odd per- 
cent — 

Mr. McConnell. Correct. 
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Senator Coburn [continuing]. For a 30-year note. So we would 
go and pay 9 percent rather than borrow at 5 percent what we can 
borrow, and that difference, that 3.75 percent, we are just going to 
let the American taxpayer pay, and that is standard practice. That 
is what you are telling me, government- wide 

Mr. McConnell. It is entirely normal practice for us to use in 
leases, and it is throughout government and in the commercial sec- 
tor. 

Senator Coburn. Let me go back. Mr. Walker, do you find any- 
thing wrong with that picture? 

Mr. Walker. Mr. Chairman, part of the issue is how the govern- 
ment keeps score. You are correct in noting that to the extent that 
the government ends up financing it, the cost of capital is less. We 
can borrow from the public at much less than 9 h- percent. 

What ends up happening is when the government ends up spend- 
ing the money up front, and therefore de facto financing it through 
the cost of capital for the Federal Government, it means that the 
Federal deficit goes up. In addition, the amount of money that is 
at the Treasury in the X account for the SEC is not readily avail- 
able to the Securities and Exchange Commission. What would have 
to happen is they would have to make a business case, which I 
think is what you are saying they should make 

Senator Coburn. It wouldn’t have to come to that, because they 
are going to have an excess this year. It would be just a difference 
in their allocation from the appropriations bill. 

Mr. Walker. Well, there are two ways you could do it, Mr. 
Chairman. One way you could do it is to seek a reprogramming re- 
quest from the appropriators to be able to use funds that otherwise 
would be excess funds. If you did not have enough money in your 
current year appropriation, then theoretically you could seek au- 
thority from the appropriators to be able to tap into that X account, 
which is the accumulated surplus, to be able to use that in lieu of 
building it into the lease. 

Candidly, I believe this is symptomatic and symbolic of a bigger 
problem that government has. The Federal Government makes de- 
cisions based upon cash flows rather than discounted present val- 
ues on sound economic concepts. We need to rethink that. 

Senator Coburn. Yes, because borrowing that money at 5 per- 
cent and paying it back 30 years from now, the real value of the 
cost to you is actually going to go down, versus a 9 percent loan. 
You are going to lose some of that time value of money advantage 
by paying it ahead of time. In other words, financing at the lower 
rate, borrowing from ourselves, is cheaper than financing it 
through your lender at 9 percent. 

Mr. Walker. There are many decisions that the Federal Govern- 
ment makes that do not make economic sense. They are made pri- 
marily because of the way we keep score. For budget purposes, it 
is largely a cash basis rather than an accrual basis. 

Senator Coburn. I wonder if you might be willing to look at that 
government-wide for us in terms of the cost of financing when we 
are doing it this way and what that total cost is to the Federal 
Government in terms of build-out leases and everything else where 
we are financing through a landlord building improvements. 



18 


Mr. Walker. I would be happy to talk to our staff about whether 
or not we are doing anything and what might make sense there. 

Senator Coburn. OK. I want to go back to, did we sign a lease 
without knowing what the cost was going to be? 

Mr. McConnell. We signed a lease in March, and then subse- 
quent to that, you work on how much you are going to spend and 
how much the budget will be for the actual tenant improvement 
work associated with that lease. 

Senator Coburn. Why would we not wait to sign a lease until 
we knew what something was going to cost? 

Mr. McConnell. Well, that would be the much preferred way of 
doing it. 

Senator Coburn. Well, I am saying, why wouldn’t we? I would 
never sign a lease until I knew what it was going to cost me. Why 
would the government sign a lease when it doesn’t know what it 
is going to cost them? 

Mr. McConnell. We know what the lease is going to cost in 
terms of the rental payment. 

Senator Coburn. I am talking the cost. There is no difference. 
Our grandchildren are going to pay for this one way or the other. 
The total cost, what is it going to cost in terms of financing the 
leasehold improvements, which we are going to pay for, the land- 
lord is going to get the benefit. Why would we sign a lease if we 
didn’t know what it was going to cost? 

Mr. McConnell. We generally do know what it is going to cost, 
or we have very good estimates as to what it is going to cost. You 
don’t really know finally what it is going to cost until you execute 
the lease, you select your build-out, you do the construction draw- 
ings, you bid it out to the trades, and then you get the final cost. 

Senator Coburn. Well, I want to tell you, I do a lot of commer- 
cial real estate and I am the owner of the buildings and I never 
will sign a lease until I have presented to them what it is going 
to cost and what my return is. And I can’t believe that we think 
it is common practice, nor financially sound, to sign a lease without 
knowing what the cost is. I mean, where was the time pressure to 
sign leases on this without knowing what it is going to cost? 

Maybe somebody made a mistake in terms of the follow-through 
on this. That can happen. I am not critical of that. I am critical 
that we didn’t know it was happening because the dashboard obvi- 
ously — this is happening and nobody knows it is happening until 
it has already ballooned on you. You have a degree in accounting. 
I have a degree in accounting. If you look at cost accounting, or fi- 
nancial controls, you would never do it. Why is that standard policy 
in the SEC? 

Mr. McConnell. This issue is not standard policy. This was a 
failure on our part, and I readily admit that. We had a serious 
breakdown in our budget estimating process for tenant improve- 
ment work. That is what this is. 

Senator Coburn. Do we have the option on these leases to pre- 
pay that leasehold improvement? 

Mr. McConnell. We do. When we exercise our lease, we have 
the ability to either take that tenant improvement work from it or 
pay it up front. We still have that option. 
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Senator Coburn. Do you know what the difference in cost is 
going to he if we pay it up front, and based on these numbers? 

Mr. McConnell. I would have to 

Senator Coburn. Can you give that to us? 

Mr. McConnell. Yes, we could. 

Senator Coburn. If you take $50 million versus, let us say $45 
million, and the difference is 3.75 percent over 30 years on $45 mil- 
lion, that is $50 million. That is the difference in cost that we are 
going to ask our grandchildren to pay back. That is the difference 
just on the interest rate differential. So if you can take a 30-year 
note and borrow the money from the public and pay them at 5 per- 
cent and pay this thing off, why would we not want to save that 
$50 million over the next 30 years? 

Mr. McConnell. I would much prefer to have these payments 
paid for up front. It is much efficient. It is a better way of doing 
business. 

Senator Coburn. Do you have to do this process through GSA? 

Mr. McConnell. We have independent leasing authority, but we 
work in coordination with GSA, usually through a Memorandum of 
Understanding. 

Senator Coburn. You would have had an interesting time at our 
hearing yesterday with the GSA. 

Mr. McConnell. Is that right? 

Senator Coburn. Yes. The same problems. 

Let us go back to the money that you have for the disgorgement 
accounts. Why is it not earning interest? 

Mr. McConnell. I actually believe that you are not well served, 
Mr. Chairman, by me answering that because it is really an issue 
that the Enforcement Program is leading, but my understanding is 
that we have moved that over to interest-bearing accounts. 

Senator Coburn. OK. That is great news. 

Mr. Walker. Mr. Chairman, it is my understanding that as of 
the financial statement date, which was September 30, 2004, that 
it was part of the X account at the Treasuiy. It was not earning 
interest. However, it is also my understanding that subsequent to 
that date, that General Counsel within the SEC determined that 
the SEC had the authority to invest those funds and now has 
moved those funds out of Treasury and, I think, are now actively 
investing them in some way. 

Mr. McConnell. That is my understanding, as well. 

Mr. Walker. I am trying to follow up on that. I do believe that 
since those funds are held in a fiduciary capacity, that it is impor- 
tant that they be invested. 

Mr. McConnell. There is a fiduciary obligation that goes along 
with that. 

Mr. Walker. Correct. It is one thing to not give credit to the X 
fund that deals with the accumulated results of operations of the 
SEC because that is part of the consolidated government and ulti- 
mately, the taxpayers are going to bear the related cost. But in this 
particular case, it is somebody else’s money. 

Senator Coburn. Let me go back to Mr. McConnell for a minute. 
I want to understand the relationship between your position and 
the SEC Chairman, and you tell me if I am wrong. You are the 
hands-on management guy for the SEC, is that correct? 



20 


Mr. McConnell. That is correct. 

Senator Coburn. And so the leadership role is in terms of true 
leading to make sure the direction is the direction that the chair- 
man and the Commission want the SEC to go, and you are submis- 
sive to their direction, is that correct? 

Mr. McConnell. I work for the chairman. The chairman is effec- 
tively the CEO of the agency. I am essentially the principal man- 
agement official. 

Senator Coburn. So with an acting chairman now, without a 
permanent chairman, you have the ability to continue all these re- 
forms that you are wanting to put forward even if we don’t have 
another chairman for another year, is that correct? 

Mr. McConnell. That is correct. 

Senator Coburn. And that is in process. 

Mr. McConnell. That is correct. 

Senator Coburn. And is that going to happen? 

Mr. McConnell. I intend for it to happen, yes. 

Senator Coburn. I know you intend to. I am asking you, is it 
going to happen? If you are sitting in the board room of a corpora- 
tion and you give that answer, nobody is going to accept it. They 
are going to say, are you going to get it done or are you not going 
to get it done? And what I want to know for everybody’s grand- 
children in this country, is it going to happen? 

Mr. McConnell. Well, I fully expect it to happen. Again, we are 
in a transition period and I have every reason to believe that a new 
chairman will follow through on these. They make sense. They are 
the right thing for the SEC and government to do. They are the 
right thing for the agency. I believe very strongly that we will con- 
tinue this aggressively. 

Senator Coburn. With a $1.3 billion excess this year, or close to 
excess in fees over costs, are the fees and charges, too high? I 
mean, it is a tax, right? The fee is a tax. 

Mr. McConnell. Well, the best way for me to answer that is 
there has been lots of discussion both within the SEC and on the 
Hill with respect to making the fees more closely associated di- 
rectly with the amount of money the SEC needs. So that is being 
discussed. It has been discussed. And I fully expect that issue will 
be dealt with in the 2007 budget discussions. It is an issue, I think, 
that is important, and I think it makes a lot of sense to try and 
move in the direction of making sure the SEC presents a budget 
that is sound, is exactly what it needs, and that then the Congress 
would fund it with fees that are matched to those needs. 

Senator Coburn. And that is as it should be, right? 

Mr. McConnell. I think that is a good way to go. 

Senator Coburn. When was the last time a committee of Con- 
gress had a true oversight hearing on the SEC? Was that associ- 
ated with the Sarbanes-Oxley reform or 

Mr. McConnell. I can’t directly answer that. 

Senator Coburn. Does any of your staff know that? Does any- 
body know? 

Mr. McConnell. Because I really don’t deal with the oversight 
committees that much. I deal with the appropriators personally, 
but 
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Senator Coburn. I have some questions I am going to send you, 
I am going to give to your staff, and it has to do with the Global 
Research Analysts settlement. I know that is in litigation, but I 
would appreciate very much if you would answer those the best you 
can for us to look at that. 

The only question I have is how did we ever let it get to where 
a court had to tell you to do that? 

Mr. McConnell. That is a good thing to put in the letter, Mr. 
Chairman. 

Senator Coburn. All right. Fair enough. 

I want to thank each of you for being here. There isn’t one area 
of the government in the next 6 years, if I am Chairman of this 
Subcommittee, that we are not going to look at, and we are going 
to be back talking about this in 6 to 9 months, after the first of 
the year to see where we are, after we get this next report from 
General Walker. You are well intentioned, we know you are, we 
want to help you get there, and transparency is a very key thing. 
I want people to be able to get on a computer and find out where 
you spend your money, any citizen in this country, and you ought 
to want that, too. 

Mr. McConnell. We do. 

Senator Coburn. All right. General Walker and Mr. McConnell, 
thank you very much. 

Mr. Walker. Thank you, Mr. Chairman. 

Mr. McConnell. Thank you, Mr. Chairman. 

Senator Coburn. The Subcommittee is adjourned. 

[Whereupon, at 3:34 p.m., the Subcommittee adjourned.] 
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Highlights of GAO-05-8B0T, testimony 
before the Subcommittee on Federal 
Financial Management, Government 
Information, and international Security, 
Committee on Homeland Security and 
Governmental Affairs, U.S. Senate 


SECURITIES AND EXCHANGE 
COMMISSION 

Results of Fiscal Year 2004 
Financial Audit 


Why GAO Did This study 

Pureuant to the Accountability for 
Dollars Act of 2002, Uie 
Secunties and Excl^nge 
Comnussion (SEC) is required to 
prepare and submit to Congress 
and the Office of Management and 
Budget audited financial 
statements. GAO agreed, under its 
audit authority, to perform the 
initial audit of SEC’s financial 
statements. GAO’s audit was done 
to determine whether, in ail 
material respects, (1) SEC’s fiscal 
year 2004 financial statements were 
reliable, (2) SEC’s management 
maintained effective internal 
control over financial reporting and 
compliance with laws and 
regulations, and (3) SEC’s 
management complied with 
applicable laws and regulations. 

Established in 1934 to enforce the 
securities laws and protect 
investors, the SEC plays an 
important role in maint^ning the 
integrity of the U.S. securities 
markets. 

GAO was asked by the Chairman of 
the Senate Subcommittee on 
Federal Financial Management, 
Government Information, and 
International Security, Committee 
on Homeland Security and 
Governmental Affaire, to present 
the results of its May 26, 2005, 
report, Pivancial Audit: 

Securities and Exchange 
Commission’s Financial 
Statements for Fiscal Year 2004 
{GAO-05-244). 


www.gao.gov/cgi-bin/getrpt?GAO'05'880T. 

To view the full product, Including the scope 
and methodology, dick on the link above. 
For more information, contact Jeanette M. 
Franzel at (202) 512-9471 or 
franz8ij@gao.gov. 


What GAO Found 

The SEC’s first ever financial audit was performed by GAO for fiscal year 
2004. In reporting on the results of the audit, GAO issued an unqualified, or 
clean, opinion on the financial statements of the SEC. This means that SEC’s 
financial statements presented fairly, in all material respects, its financial 
position as of S^tember 30, 2004, and the results of operations for the year 
then ended. However, because of material internal control weaknesses in 
the areas of preparing financi^ statements and related disclosures, 
recording mid reporting disgorgements and penalties, and information 
security, GAO issued an adverse opinion on internal controls, concluding 
that SEC did not maintain effective internal control over financial reporting 
as of September 30, 2004. However, SEC did maintain, in all material 
respects, effective internal control over compliance with laws and 
regulations material in relation to the financial statements as of September 
30, 2004. In addition, GAO did not find reportable instances of 
noncompliance with laws and regulations it tested. It is important to 
remember that GAO’s opinions on SEC’s financial statements and internal 
controls reflect a point in time. 

SEC prepared its first complete set of financial statements for fiscal year 
2004 and made significant progress during the year in building a financial 
reporting structure for preparing financial statements for audit. However, 
GAO identified inadequate controls over SEC’s financial statement 
preparation process including a lack of sufficient documented policies and 
procedures, support, and quality assurance reviews, increasing the risk that 
SEC management will not have reasonable assurance that the balances 
presented in the financial statements and related disclosures are supported 
by SEC’s underlying accounting records. In addition, GAO identified 
inadequate controls over SEC’s disgorgements and civil penalties activities, 
increasing the risk that such activities wiQ not be completely, accurately, and 
properly recorded and reported for management’s use in its decision making. 

GAO also found that SEC has not effectively implemented information 
system controls to protect the integrity, confidentiality, and availability of its 
financial and sensitive data, increasing the risk of unauthorized disclosure, 
modification, or loss of the data, possibly without detection. The risks 
created by these information security weaknesses are compounded because 
the SEC does not have a comprehensive monitoring program to identity 
unusual or suspicious access activities. 

SEC agreed with our findings and is currently working to improve controls 
in all these areas. 
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Mr. Chairman and Members of the Subcommittee: 

I am pleased to be here today to discuss the results of our audit of the 
Securities and Exchange Commission’s (SEC) fiscal year 2004 financial 
statements, die first complete set of financial statements SEC has prepared 
and has subjected to an independent audit.^ Our recent report,^ issued on 
May 26, 2005, presents the results of that audit. Today, I will discuss those 
results and the steps we believe SEC needs to take to improve its ability to 
produce timely and reliable financial statements, and to produce them 
efficiently and with reasonable assurance that they are fairly presented. 
These steps will also help SEC to produce complete and reliable 
information for internal management who make decisions about SEC 
operations and expenditures, and congressional stakeholders who provide 
oversi^t of SEC operations and make decisions about SEC funding. 

The results of our audit were mixed — a clean opinion on the financial 
statements and an adverse opinion on internal control. Because we 
detected three material weaknesses in internal control, we concluded that 
SEC’s internal control did not reduce to a relatively low level the risk of 
misstatements material to the financial statements. In other words, 
mistakes may occur and either go undetected by employees in the normal 
course of their work or be detected too late to prevent errors or fraud. The 
material weaknesses we found relate to SEC’s internal control over 

(1) preparing financial statements and the related disclosures, 

(2) recording and reporting of disgorgements^ and civil penalties,'* and 

(3) information security. It is important to remember that our opinions on 
SEC’s financial statements and internal controls reflect a point in time. SEC 
has stated its commitment to enhancing its financial and operational 
effectiveness. We and others have made recommendations, which if 
successfully implemented, would help SEC to generate timely, reliable, and 
useful financial information with which to make informed decisions, 
manage daily operations, and ensure accountability on an ongoing basis. 


’The AccouniabiUty of Tax DoUars Act of 2002 requires certain agencies, includkig SEC, to 
prepare financial statements and have them audited. 

^Financial Audit: Securities and Exchange Commission's Financial Statements for 
Fiscal Year 2004, GAC)-05-244 (Washington, D.C.: May 26, 2006). 

’’Disgorgement is the repayment of iUegaily earned profits. 

'A penalty is a monetary sum that is to be paid by the registrant to SEC as a result of a 
security law violation. 
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SEC has a veiy visible and prominent leadership role in promoting and 
enforcing accountability for corporations whose equity and debt securities 
are traded in the securities markets. Recently, this role has also 
encompassed helping to ensure the effective implementation of the 
Sarbanes-Oxley Act, with its emphasis on interna! control and corporate 
governance for the companies it regulates. At a time when many 
corporations are striving to strengthen internal controls and improve 
financial reporting, SEC has the opportunity and responsibility to serve as a 
model of good practice. In that regard, SEC stated in its 2004 Performance 
and Accountability Report, issued in May 2005, that SEC must lead by 
example with respect to the internal control requirements demanded of the 
private and federal sectors, and also articulated management’s vision that 
SEC serve as the standard against which other federal agencies are 
measured. A higher standard of accountability is appropriate for SEC as a 
government regulatory ^ency; moreover, it is important to the success of 
SEC’s programs, activities, and leadership in the business community and 
as a government regulator. 


Audit Results fiscal year 2004 financial statements for SEC, we found 

• the financial statements as of and for the fiscal year ended September 
30, 2004, including the accompanying notes, are presented fairly, in all 
material respects, in conformity with U.S. generally accepted 
accounting principles; 

• SEC did not have effective internal control over financial reporting 
(including safeguarding of assets), but had effective control over 
compliance with laws and regulations that could have a material effect 
on the financial statements as of September 30, 2004; and 

• no reportable noncompliance with laws and regulations we tested. 

We issued an unqualified, or clean, opinion on the SEC’s financial 
statements. This means that the financial statements and accompanying 
notes present fairly, in all material respects, SEC’s financial position as of 
September 30, 2004, and, as well, certain other financial information that 
the statements must provide: net cost, changes in net position, budgetary 
resources, financing, and custodial activities for the year then ended. We 
also found that the statements conform to U.S. generally accepted 
accounting principles. In order to reach our conclusions about the financial 
statements, we (1) tested evidence supporting the amounts and disclosures 
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in the financial statements, (2) assessed the accounting principles used and 
significant estimates made by management, and (3) evaluated the 
presentation of the financial statements. 

We found three material weaknesses in internal control and thus issued an 
adverse opinion on internal control — stating that SEC management did not 
maintain effective internal control over financial reporting and the 
safeguarding of assets as of September 30, 2004. Internal control over 
financial reporting consists of an entity’s policies and procedures that are 
designed and operated to provide reasonable assurance about the 
reliability of that entity’s financial reporting and its process for preparing 
and fairly presenting financial statements in accordance with generally 
accepted accounting principles. It includes policies and procedures for 
maintaining accounting records, authorizing receipts and disbureements, 
and the safeguarding of assets. Because SEC makes extensive use of 
computer systems for recording and processing transactions, SEC’s 
fineincial reporting controls also include controls over computer operations 
and access to data and computing resources. 

Our opinion on SEC’s internal control means that SEC’s internal control did 
not reduce to a relatively low level the risk that misstatements material to 
the financial statements may occur and go undetected by employees in the 
norma! course of their work. This conclusion on SEC's intern^ controls did 
not affect our opinion on SEC’s financial statements. This is because during 
the audit process SEC made the adjustments identified during the audit as 
necessary for the fair presentation of its financial statements. However, the 
weaknesses we found could affect other, unaudited information used by 
SEC for decision making. Our evaluation of internal control covered SEC’s 
financial reporting controls which also cover certain operational activities 
that result in SEC’s financial transactions, such as activities pertaining to 
stock exchange transaction fees, public-filing fees, maintaining 
disgorgements and penalties receivable, payroll-related transactions, and 
others. 

We also tested SEC’s compliance with selected provisions of laws and 
regulations that have a direct and material impact on the financial 
statements. For example, we tested for compliance with sections of the 
Securities Exchange Act of 1934, as amended, that requires SEC to collect 
fees from the national securities exchanges and the National Association of 
Securities Dealers based on volume of stock transactions, and sections of 
the Securities Act of 1933, as amended, that requires SEC to collect fees 
from registrants for public filings. Our tests found no instances of 
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noncompliance that are reportable. We also found that SEC maintained, in 
all material respects, effective internal control over compliance. 

I would now like to discuss in detail the three material internal control 
weaknesses we found during our audit. 


Material Internal 
Control Weaknesses 


SEC Needs to Improve Its 
Controls over Financial 
Statement Preparation and 
Reporting 


We found that SEC did not have formalized processes or documentation for 
the procedures, systems, analysis of accounts, and personnel involved in 
developing key balances and preparing the financial statements and related 
disclosures. As I will discuss later, this issue is compounded by SEC's 
limitations with its financial management system. Also, SEC did not have 
formalized quality control or review procedures. As a result, we identified 
errors in the beginning asset and liability balances and in the September 30, 
2004, draft financial statements prepared by SEC m^agement, that if had 
not been corrected, would have resulted in materially misleading operating 
results for fiscal year 2004. 


SEC’s lack of formalized processes, documented procedures, and quality 
assurance checks, significantly delayed the reporting of fiscal year 2004 
financial results, consumed significant staff resources, caused audit 
inefficiencies, and resulted in higher financial statement preparation and 
audit costs. I would like to highlight the following items we found: 

• SEC did not have documentation providing an ejqjlanation or a 
crosswalk between the financial statements and the source systems, 
general ledger accounts, account queries, and account analyses. 

• SEC did not maintain a subsidiary ledger for certain activities, such as 
customer deposit amounts pertaining to filing fees, 

• Accounting staff had difficulty in retrieving support for certain account 
balances, such as undelivered-order amounts, and for certain property 
and equipment leases. 

• Reconciliations of detail and summary account balances were not 
prepared for certain financial statement line items, such as for the 
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customer deposit liability relating to filing fees and the associated 
earned filing fee revenue; the accounts receivable related to exchange 
fees and the related amount of earned exchange fee revenue; and the 
budgetary accounts related to undelivered and delivered orders, thus 
requiring SEC staff to create an audit trail after the fact. 

• There also was no consistent evidence of supervisory review of journal 
entries, including closing and adjusting journal entries made in 
connection with preparing quarterly and year-end financial statements. 

• Comprehensive accounting policies and procedures were still in draft or 
had not yet been developed for several major areas related to financial 
statements, including disgorgements and penalties, filing fees, exchange 
fees, and fixed asset capit^ization. 

GAO’s Standards for Internal Control in the Federal Government 
requires that controls over the financial statement preparation process be 
designed to provide reasonable assurance regarding the reliability of the 
balances and disclosures reported in the financial statements and related 
notes in conformity with generally accepted accounting principles, 
including the maintenance of detailed support that accurately and fairly 
reflect the transactions making up the balances in the financial statements 
and disclosures. In addition, an effective financial management system 
Includes policies and procediues related to the processing of accounting 
entries. 

SEC’s difficulties in the area of financial statement preparation are 
exacerbated because SEC’s financial management system is not set up to 
generate the user reports needed to perform analyses of accounts and 
activity on a real-time basis leading to SEC’s staff-intensive and time- 
consuming efforts to prepare financial statements. Because SEC does not 
maintain standard schedules for producing certtiin basic reports of account 
detail for analysis, users have to request reports generated on an ad hoc 
basis by a software application whose operations are known only to some 
SEC staff. Also, as I will discuss in more detail later, not all of SEC’s 
systems used for tracking and recording financial data are integrated with 
the accounting system. 


'’GAO, Sla7idards/or IntemeU CotUrol in the Federal Government, GAO/A]Mb-00-2L3,l 
(Washington, D.C.: November 1999). 
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Federal agencies preparing financial statements are required to develop a 
financial m^s^ement system to prepare a complete set of statements on a 
timely basis in accordmice witli generally accepted accounting principles. 
The financial statements should be the product of an accounting system 
that is an integral part of an overall financial management system with 
structure, internal control, and reliable data. Office of Management and 
Budget Circular No. A-127, FiTiancial Management Systerns, requires that 
each agency establish and maintain a single integrated financial 
management system — basically a unified set of financial systems 
electronically linked for agencywide support. Integration means that the 
user is able to obtain needed information efficiently and effectively from 
any level of use or access point. (This does not necessarily mean having 
only one software application covering all financial management system 
needs or storing all information in the same database.) Interfaces between 
systems are acceptable as long as the information needed to enable 
reconciliation between the systems is accessible to managers. Interface 
linkages should be electronic unless the number of transactions is so small 
that it is not cost beneficial to automate the interface. Reconciliations 
between systems, where interface linkages are appropriate, should be 
maintained to ensure data accuracy, 

To support its financial management functions, SEC relies on several 
different systems to process and track financial transactions that include 
filing and exchange fees, disgorgements and penalties, property and 
equipment, administrative items pertaining to payroll and travel, and 
others. Not all of these systems are integrated with the accounting system. 
For example, the case-tracking system and the spreadsheet application 
used to account for significant disgorgement and penalty transactions and 
the system used to account for property and equipment are not integrated 
with the accounting system. Without a fully integrated financial 
management system, SEC decision makers run the risk of delays in 
attaining relevant data or using inaccurate information inadvertently while 
at the same time dedicating scai'ce resources toward the basic collection of 
information. 

A properly designed and implemented financial statement preparation and 
reporting process (which encompasses the financial management system) 
should provide SEC management with reasonable assurance that the 
balances presented in the financial statements and related disclosures are 
materially correct and supported by the underlying accounting records. To 
address the issues related to SEC’s financial statement preparation and 
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reporting precedes, we recommended that SEC take the following 13 

actions to improve controls over the process. 

1. Develop written policies and procedures that provide sufficient 
guidance for the year-end closing of the general ledger as well as the 
preparation and analysis of quarterly and annual financial statements. 

2. Establish clearly defined roles and responsibilities for the staff involved 
in financial reporting and the preparation of interim and year-end 
financial statements. 

3. Prepare a crosswalk between the financial statements and the source 
systems, general ledger accounts, and the various account queries and 
Einalyses that make up key balances in the financial statements. 

4. Maintain subsidiary records or ledgers for all significant accounts and 
disclosures so that the amounts presented in the financial statements 
and footnotes can be supported by the coUective transactions making 
up the balances. 

5. Perform monthly or periodic reconciliations of subsidiary records and 
surrunaiy account b^ances. 

6. Perform a formal closing of all accounts at an interim date or dates to 
reduce the level of accounting activity and analysis required at year- 
end. The formal closing entails procedures to ensure that all 
transactions are recorded in the proper period through the closing date, 
and then closing the accounting records so that no new entries can be 
posted during that period. 

7. Distinguish common closing and adjusting entries in a formal listing, 
which is used in the general ledger closing process and in preparing 
financial statements. 

8. Require supervisory review for all entries posted to the general ledger 
and financial statements, including closing entries. A supervisor should 
review revisions to previously approved entries and revised financial 
st^ments and footnotes. All entries and review should be 
documented. 

9. Establish milestones for preparing and reviewing the financial 
statements by setting dates for critical phases such as closing the 
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general ledger; preparing financial statements, footnotes, and the 
performance and accountability report; and performing specific quality 
control review procedures. 

10. Use established tools (i.e., checklists and implementation guides) 
available for assistance in compiling and reviewing financial 
statements. 

1 1. Maintain documentation supporting all information included in the 
financial st^ements and footnotes. This documentation should be 
more self-explanatory thmi what has been retained in the past. The 
documentation should be ^ a level of detail to enable a third party, 
such as an auditor, to use the documentation for substantiating 
reported data without extensive explanation or re-creation by the 
original preparer. 

12. Take advantage of in-house resources and expertise in establishing 
financial reporting policies, internal controls, and business practices, as 
well as in review of financial statement and footnote presentation. 

13. Develop or acquire an integrated financial management system to 
provide timely and accurate recording of financial data for financial 
reporting and management decision making. 

In response to our audit findings, SEC plaiis to increase its financial 
reporting staff this fiscal year, formalize its policies and procedures, and 
solicit advice from corporate financial reporting experts within SEC. SEC 
senior management has reviewed and endorsed certain initial policies 
applied in the first year of financial reporting, and has modified or 
recommended others for further review. In addition, SEC plans to establish 
a formal audit committee to provide for regular review by key management 
officials and advise on policies and controls. SEC is undertaking a 
multiyear project to replace the existing case-tracking system with a 
system that is better designed for financial reporting purposes. 

Now I would like to shift to the second material internal control weakness. 
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SEC Has Control 
Weaknesses over 
Disgorgements and Civil 
Penalties 


As part of its enforcement responsibilities, SEC issues and administers 
judgments that order disgorgements and civil penalties against violators of 
federal securities laws. The resulting transactions for fiscal year 2004 
involved collections of about $945 million, and recording and reporting of 
fiduciary and custodial bailees on the financial statements.® SEC records 
and tracks information on over 12,000 parties in SEC enforcement cases 
involving disgorgements and penalties through a case-tracking system. 
However, the case-tracking system is not designed for financial reporting 
and is not integrated with SEC’s general ledger accounting system, which 
accumulates, tracks, and summarizes SEC’s financial transactions. 

To compensate for limitations in the system, SEC staff compiles quarterly 
subsidiary ledgers using extensive and time-consuming procedures. After 
downloading financial information on disgorgements and penalties from 
the case-tracking system to a spreadsheet with thousands of cases and 
defendants with a magnitude of approximately 1 million data elements, 
SEC staff performs numerous calculations using the data in the 
spreadsheet to compile the disgorgement and penalty balances as of the 
end of each quarter. Such a process is inherently inefficient and prone to 
error. Further, since the source of the data included on the spreadsheet is 
from the case-tracking system, whose data reliability has been reported as 
a problem by SEC for the past three years, ^ it is imperative that specific 
control procedures be put in place to provide reasonable assurance over 
the completeness and reliability of the data in the case-tracking system. In 
addition, control procedures are needed to reduce the risk of errors in the 
spreadsheet and ultimately the reported financial statement information. 
Finally, when reviewing case files we noted instances in which the 
supporting documentation in the files contained notations by the case 
managers indicating that potential activities or transactions related to the 
case had occurred. However, there was not adequate supporting 


'’fSduciaiy activities represent the moneys collected from federal securities law violators 
and maintained by SEC to be distributed to harmed investors. Custodial activities represent 
the moneys collected by SEC from violators of federal securities laws that are returned to 
the General Fund of the Treasury, as nonfederai individuals or entities do not have an 
ownership interesl in these revenues. 

’The Federal Managers’ Financial Integrity Act (FMFIA) of 1982 (31 U.S.C. § 3512 (cXd)) 
requires the head of each agency to annually prepare a statement that identifies material 
weakness in the agency’s systems of internal accounting and administrative control and 
its plans mid schedule for correcting them. SEC reported material weaknesses and related 
system nonconformance issues concerning data integrity and financial reporting for 
disgorgements and penatUes in its 2002, 2003, and 2004 FMFIA reports. 
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documentation to si 4 >port an entry to the case-tracking system. These 
instances raised questions about whether SEC’s accounting and financial 
reporting information related to penalties and disgorgements was 
potentially incomplete or out-of-date. 

As a result of the issues I have described, we concluded that SEC did not 
have adequate control procedures in place to provide adequate assurance 
over the reliability of financial information related to this area. Thus, our 
auditors performed additional testing over SEC’s financial statement 
balances related to penalties and disgorgements. GAO’s Standards for 
Internal Control in the Federal Government requires that agencies 
establish controls to ensure that transactions are recorded in a complete, 
accwate, and timely manner. Although SEC has a draft policy that covers 
certain aspects of accounting for disgorgements and penalties, it is not 
comprehensive. For example, the policy does not define who is responsible 
for recording disgorgement and penalty data or the documentation that 
should be maintained to support the amounts recorded. Of even greater 
iniportance, the policy does not identify controls that are critical for 
determining the amounts to be recorded and for reviewing entries for 
completeness and accuracy, including the specific types of controls needed 
for the quarterly downloading of data and use of the spreadsheets for 
arriving at the accounting entries. Nor does the policy address supervisory 
review necessary to ensure consistent application of the procedures. 

A lack of comprehensive policies and controls over disgorgement and 
penalty transactions increases the risk that the transactions wUl not be 
completely, accurately, and consistently recorded and reported. In our 
audit of the estimated net amounts receivable from disgorgements and 
penalties, we did find errors in the recorded balances for the related gross 
accounts receivable and allowance for loss. Specifically, we noted errors 
where SEC had made entries to the accounting system that conflicted with 
information in the files. We also noted inconsistent treatment in recording 
judgments, interest amounts, terminated debts, and collection fees 
imposed by TVeasury. We believe that these errors and inconsistencies 
occurred because of the control weaknesses we found. While, in most 
cases, these errors and inconsistencies were offsetting, such errors raise 
concern about the reliability of the $1,673 billion gross accounts receivable 
for disgorgements and penalties and the related allowance amounts of 
$1,394 billion reported in footnote 3 to SEC’s financial statements. 

To address internal control weaknesses over disgorgements and penalties, 
we recommended that SEC 
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1 . implement a ^stem that is integrated with the accounting system or 
that provide the necessary input to the accounting system to facilitate 
timely, accurate, and efficient recording and reporting of disgorgement 
and penalty activity; 

2. review the disgorgement and penalty judgments and subsequent 
activities documented in each case file by defendant to determine 
whether individual amounts recorded in the case-tracking system are 
accurate and reliable; 

3. implement controls so that the ongoing activity involving 
disgorgements and penalties is properly, accurately, and timely 
recorded in the case-tracking system and the accounting system; 

4. strengthen coordination, communication, and data flow among staff of 
SEC’s Division of Enforcement and Office of Financial Management 
who share responsibility for recording and maintaining disgorgement 
and penalty data; and 

5. develop and implement written policies covering the procedures, 
documentation, systems, and responsible personnel involved in 
recording and reporting disgorgement and penalty financial 
information. The written procedures should also address quality 
control and managerial review responsibilities and documentation of 
such a review. 

SEC agrees with our findings in this area and has begun efforts to 
strengthen internal controls. For example, SEC plans to complete a 
comprehensive review of files and data and review and strengthen policies 
and procedures for recording and updating amounts receivable for 
disgorgements and penalties. SEC anticipates that consistent application of 
strengthened internal controls and potentially some limited redesign of the 
existing management information system will be adequate to resolve the 
material weaknesses in fiscal year 2006. However, SEC acknowledges that 
a replacement of the current case-tracking system and a more thorough 
reexamin^on of the relevant business process would provide more 
effective assurance. Accordingly, in fiscal year 2006, SEC plans to complete 
a requirements analysis as the first phase of the multiyear project to 
replace the case-trackir^ system. 

Now I would like to shift to the discussion of the material internal control 
weakne^ pertaining to information security. 
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SEC Needs to Address Weak 
Controls over Financial and 
Sensitive Data 


Information system controls are essential for any organization that 
depends on computer systems and networks to carry out its mission or 
business and maintain key records and accountability information. Without 
proper safeguards, organizations run the risk that intruders may obtain 
sensitive information, commit fraud, disrupt operations, or launch attacks 
against other computer systems and networks. 


SEC — which relies extensively on computer systems to support its 
operations — needs a comprehensive program of general controls® to 
monitor and manage information security risks. Our review® of SEC’s 
information system general controls found that the commission did not 
effectively implement controls to protect the integrity, confidentiality, and 
availability of its financial and sensitive information. 


In March 2005, we reported weaknesses in electronic access controls, 
including controls designed to prevent, limit, and detect access to SEC’s 
critical financial and sensitive systems.*® We found these weaknesses in 
user accounts and passwords, access rights and permissions, network 
security, and the audit and monitoring of security-related events. These 
weaknesses were heightened because SEC had not fully established a 
comprehensive monitoring program. 

We identified the following electronic access control weaknesses: 

• SEC operating personnel did not consistently set password 

parameters — such as a minimum of six digits including both numbers 
and letters — to ensure a level of difficulty for an intruder trying to guess 
a password, and users sometimes did create easy-to-guess passwords. 


*infonnaUon system general controls affect the overall effectiveness and security of 
computer operations as opposed to being unique to any specific computer application. 
These controls include security management, operating procedures, software security 
features, and physical protection designed to ensure that access to data is ^propriately 
restrict«l, computer security functions are segregated, only authorized changes to 
computer programs are made, and back-up and recovery plans are adequate to ensure the 
continuity of essential operations. 

“GAO-05-244. 

■‘^ee GAO, Information Security: Securities and Exchange Commission Needs to Address 
Weak Controls over Pinanoial and Sensitive Data, GAO-05-262 (Washington, D.C,: March 
23. 2005). 
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• All 4,100 network users were inadvertently granted access that would 
allow them to circumvent the audit controls in the commission’s main 
financial systems. 

• Key network devices were not configured to prevent unauthorized 
individuals from gaining access to detailed network system policy 
settings and lists of users or user groups. 

• SEC did not have a comprehensive monitoring program for routine 
review, audit, or monitoring of system user-access activities. For 
example, audit logging, which is typically used to track certain types of 
activity on a system, was not consistently implemented on network 
services and there was no real-time capability to target unusual or 
suspicious network events for review. In addition, SEC had not fully 
implemented a network intrusion-detection system. The commission 
did, however, have several initiatives under way to monitor user access 
activity. 

We also identified weaknesses in other information system controls — 

including physical security, segregation of computer functions, application 

change controls, and service continuity. For instance: 

• At the time of our review, 300 employees and contractors had physical 
access to SEC’s data center. Persons with access included an 
undetermined number of application programmers, budget analysts, 
administrative staff, and customer support staff. Typically, persons 
serving these functions do not need access to the data center for their 
work. 

• SEC had not sufficiently separated incompatible^^ system administration 
and security administration functions on Its key financial applications. 

• Although a change control board at SEC was responsible for authorizing 
eill application changes, none of the software modifications reviewed 
had documentation to show that such authorizations had been obtained. 


"Incompatible functions are those that cause a conflict or risk if they are under the 
responsibility of the same person. For example, authorizing access and using that access are 
incompatible functions. 
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• SEC had not implemented a service-continuity plan to ensure that the 
system ^d its m^or ^plications could continue to function after a 
major disruption, such as a loss of electricity. 

As a result of these weaknesses, sensitive SEC data — including payroll and 
financial transactions, personnel data, regulatory, and other mission- 
critical information — were at increased risk of unauthorized disclosure, 
modification, or loss. 

A key reason for weaknesses in SEC’s information system general control 
is that the commission has not fully developed and implemented a 
comprehensive agency information security program. The Federal 
Information Security Management Act (FISMA) requires each agency to 
develop, document, and implement an agencywide information security 
program to provide security for the information and systems that support 
the operations and assets of the agency. Agencies are required to use a risk- 
based approach to information security management. FISMA also requires 
an agency’s information security program to include these key elements; 

• periodic assessments of risk and the magnitude of harm that could 
result from unauthorized access, use, or disruption of information 
systems; 

• policies and procedures that are based on risk assessments and risk 
reductions to ensure that information security is addressed throughout 
the life cycle of each system and that applicable requirements are met; 

• security awareness training to infoim all users of information security 
risks and users’ responsibilities in complying with information security 
policies and procedures; and 

• periodic tests and evaluations of the effectiveness of information 
security policies, procedures, and practices related to management, 
operational, and technic^ controls of every m^jor system. 

Although SEC has taken some actions to improve security management — 
including establishing a centred security management group and appointing 
a senior information security officer to manage the information security 
program — further efforts are needed. For example, we found that the 
commi^ion had not clearly defined roles and responsibilities for the 
central ^curity group it had established. In addition, SEC had not fully 
(1) assessed its risks, (2) established or implemented security policies. 
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(3) promoted security awareness, or (4) tested and evaluated the 
effectiveness of ite information system controls. 

SEC and its Office of Inspector General (OIG) have recognized weaknesses 
in the commission’s information security program. Since 2002, SEC has 
reported information security as a material weakness in its FMFIA reports. 
In its fiscal year 2(KI4 FISMA report, SEC's OIG reported that the 
commission had several weaknesses in information security and was not 
substantially in compliance with information security requirements 
contained in FISMA. 

Without proper safeguards for its information systems, SEC is at risk from 
malicious intruders entering inadequately protected systems. It is at risk 
that intruders will use this access to obtain sensitive information, commit 
fraud, disrupt operations, or launch attacks against other computer 
systems and networks. We believe the primary cause of these weaknesses 
has been the lack of a fully developed and implemented entitywide 
information security program. In our March 2005 report,'’^ we 
recommended 6 actions to fully develop and implement an effective 
security program. In addition, we made 52 recommendations to correct 
specific information security weaknesses related to electronic access 
control and other information system controls. Due to their sensitivity, 
these recommendations were included in a separate report designated for 
“Limited Official Use Only.” A fully developed, documented, and 
implemented agency information security program would provide the 
commission with a solid foundation for resolving its information security 
problems and for ongoing management of its information security risks. 

We believe that if our reconimendations and SEC’s planned actions are 
carried out effectively, SEC can make considerable progress toward its 
declared vision as “the standard against which federal agencies are 
measured"*® and will be in a stronger position to manage its daily 
operations and accomplish its mission. 

This testimony is based on our recent audit of SEC’s fiscal year 2004 
financial statements, which was conducted in accordance with U.S. 
generally accepted government auditing standards. 


‘"GAO-0.5-262. 

'^U.S. Securities and Exchange Commission, 2004 Pmformance and Accountability Report. 


Page 15 


GAO-05-880T 



42 


Mr. Chalmian, this concludes my prepared statement. I would be pleased to 
respond to any questions that you or the other members of the 
Subcommittee may have. 
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Chairman Cobum, Ranking Member Carper, and Members of the Subcommittee: 

My name is Jim McConnell and 1 am the Executive Director of the SEC. The views expressed below 
and the views I express today are my individual views, and do not necessarily reflect the views of the 
Commission or the Commissioners, including the Acting Chairman. Thank you for the opportunity to 
testify today about the SEC’s audited financial statements and facilities budget estimates. Given the 
SEC’s regulatory responsibilities, it is critical that the agency maintain strong financial management 
practices and that we use taxpayer funds efficiently and effectively. 


Like many private companies, the SEC has invested tremendous time and energy on examining and 
bolstering our financial management practices and internal controls. As the regulator overseeing the 
financial markets and the accounting industry, it is entirely appropriate that we do so. As you know, 
these efforts have uncovered some weaknesses that we are working aggressively to resolve. Although 
the audit and internal controls program have presented challenges, we believe that the process will pay 
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dividends in the form of stronger and more effective financial management at the SEC and is an 
important government-wide initiative. 

Audited Financial Statements 

I would like to begin by discussing the first-ever audit of the SEC’s financial statements, conducted 
under the Accountability of Tax Dollars Act of 2002, Because of the SEC’s regulatory responsibilities, 
we selected the Government Accountability Office (GAO) as our auditor. The release of our fiscal 2004 
Performance and Accountability Report in May was the culmination of two years of hard work by 
Commission staff and our GAO auditors. I want to thank them all for their efforts. 

The good news is that the GAO found that our financial statements were “presented fairly, in all material 
respects, in conformance with U.S. generally accepted accounting principles.” Clean financial 
statements are quite an achievement for a first-time audit. When the 24 major federal agencies began 
issuing audited financial statements in 1996, only six received unqualified opinions on their first audit, 
and many agencies still have not achieved unqualified opinions. 

The GAO also performed an audit of the SEC’s internal controls over financial reporting, and their 
report concluded that our controls in three areas were not fully effective. Specifically, their report 
identified material weaknesses in the areas of recording and reporting of disgorgements and penalties, 
preparing financial statements, and information technology (IT) security. Two of the three issues — IT 
security controls and disgorgements and penalties — are weaknesses that the agency has been working on 
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for some time and that have been reported previously under the Federal Managers’ Financial Integrity 
Act (FMFIA). 

Let me now discuss each of these three areas, and add some general comments. 

Disgorgements and Penalties 

The first materia! weakness relates to the controls over our accounting for disgorgements and penalties 
ordered by courts as a result of SEC enforcement actions. While the judgments awarded by the courts 
are for specific amounts, the collection is frequently uncertain and requires efforts over a period of 
years. Let me emphasize that all fines and penalties are accounted for and no payments have been lost. 
Instead, the GAO found that the SEC did not have a sufficiently comprehensive policy governing the 
accounting for these amounts, and found inadequate internal controls in the procedures and systems for 
recording of judgments and the allowance for uncollectible accounts. 

This is an issue that the SEC has been working on for several years, and we appreciate that the GAO 
audit report indicated that the SEC has made significant progress in this area. We are currently 
performing a comprehensive review of our case files and data, and finalizing relevant accounting 
policies and internal control procedures. We anticipate that consistent application of strengthened 
internal controls and potentially some limited redesign of the current case tracking system will resolve 
the material weakness in fiscal 2006, In addition, we are developing plans to implement a multi-year 
initiative beginning in 2006 to replace the current tracking system. The financial components of the new 
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system will be integrated with our central accounting system to improve the timeliness and accuracy of 
our financial reporting in this area. 

Financial Statement Preparation Process 

The GAO found a second material weakness related to the SEC’s internal controls over the process for 
preparation of financial statements. This was the SEC’s first audit, and the procedures used to prepare 
our statements involved significant manual effort by SEC staff. As a result, the policies, practices, and 
procedures had not been fully documented and integrated into the agency’s operations. 

This spring an internal senior management team reviewed many of our financial management processes 
and policies. The team confirmed the acceptability of many of the initial policies applied in 2004 and 
directed that others be further modified or reviewed. Going forward, a permanent senior management 
committee will regularly review our financial management and reporting functions and review our 
progress. In addition, the SEC is increasing its financial management staff, strengthening 
documentation of procedures and policies for statement preparation, and continuing to look for ways to 
apply the best practices of other federal agencies into our own systems. Through these efforts, we 
expect to be able to resolve this material weakness in fiscal 2006. 

Information Technology Security 

Finally, GAO’s audit confirmed weaknesses in the SEC’s information technology security that have 
been reported in prior years through our FMFIA program. These weaknesses include insufficient access 
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controls, network security, and monitoring of security-related events. However, 1 should also note that 
the GAO found we had taken the right set of initial steps to address the weaknesses, including hiring a 
new Chief Information Security Officer and establishing a centralized security management program. In 
response, the SEC has developed a detailed inventory and timeline for correcting each of the specific 
weaknesses identified, such as through a certification and accreditation project and revisions to the 
agency’s policies and procedures in this area. We have continued to build out our information security 
program and address specific issues over the several months since the conclusion of the audit, and while 
our timeline is ambitious, we plan to complete the remediation efforts by June 2006. 

General Comments 

Let me take a moment for some general comments. Because of the SEC’s regulatory role, we believe 
the agency must lead by example through our handling of internal control weaknesses. Just as with 
private companies, we believe it is critical to forthrightly disclose our weaknesses and work to mitigate 
them as completely and quickly as possible. Full disclosure is entirely appropriate for the federal sector, 
as it is for the private sector. While we have worked to resolve and reported two of these weaknesses 
previously, the additional focus that comes with an audit has brought renewed energy and 
aggressiveness to our efforts to resolve them. We look forward to continuing this process in 2005, and 
believe that the SEC, as well as the investors we serve, will only benefit as a result. 

I would also like to advise the Subcommittee of the many new initiatives that the agency has 
implemented during the past two years that improve the management and oversight of its operations. 
First, the SEC has implemented monthly management “dashboards” designed to present regular 
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snapshots of the divisions’ and offices’ progress in meeting budget, staffing, and performance 
objectives. Rather than motivating staff to simply “hit the numbers,” our dashboards are designed to 
identify emerging problems, promote the discussion of solutions, and reinforce each executive's 
accountability for staff, performance and key initiatives. In conjunction with our other efforts, the 
dashboards will help the agency proactively adjust operations and resources as environmental changes 
require. Second, the SEC has strengthened its human capital planning activities by creating a new 
Human Capital Review Board that meets on a regular basis to ensure that the agency’s staff are 
appropriately deployed to those parts of the agency with the highest need. In addition, the agency has 
spent considerable energy “breaking down silos” to increase the level of communication and 
coordination across the agency’s offices and divisions, and has worked to use its policy expertise to 
assist the agency in addressing a number of its current audit and operational challenges. 

I now would like to turn to addressing the SEC’s facilities budget estimates. 

Facilities Budgeting 

As you know, the SEC recently discovered that it had underestimated tenant build-out costs for new 
agency facilities in Washington, New York, and Boston by about $48 million over the next three years. 
These errors are serious, and revealed the need to improve our facilities management and budget 
planning functions. However, 1 should note that there have been no cost overruns on existing contracts; 
these mistakes pertain to estimates of future costs. Also, the SEC will be able to deal with these costs 
within existing funding levels and has submitted a reprogramming request that will correct our budget 
allocations. As you know. Representative Wolf has asked the GAO over the next few weeks to review 
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the actions that led to this change in estimates and the actions the SEC has taken in response, and we 
welcome their involvement. 

I will now discuss in more detail the nature of the costs for each of these projects, and the vigorous 
actions the SEC is taking to ensure that this type of mistake does not occur again in the future. 

Station Place Buildings One and Two 

The SEC first entered into a lease for a new Washington-area headquarters facility at Station Place 
Building One in May 2001 . To select this site, the SEC conducted a full and open competition, in 
partnership with the General Services Administration (GSA). Station Place was the lowest bid in the 
competition, with the fiat base rental rate of $43.63 per square foot for the duration of the lease. Then, 
because of substantial increases in the SEC’s staff approved by Congress, the agency exercised its 
option to lease Building Two of Station Place in November 2002. 

When the SEC developed its cost estimates for both Station Place buildings, the agency estimated a total 
tenant build-out cost of roughly $97 million over several years. Of this amount, the SEC was to pay $47 
million in appropriated funds, and the remainder was to be covered through tenant allowances provided 
by the building owner. In its fiscal 2006 Congressional budget request, the SEC estimated the agency’s 
fiscal 2005 needs for both buildings at about $15 million. This estimate was based on assumptions 
related to construction costs provided by our facilities staff. This spring, it became clear that these 
assumptions, and the originally projected multi-year cost, were no longer accurate and had increased 
substantially. 
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As a resuit, the SEC now estimates that the cost of completing the build-out for both buildings is 
roughly $19 million more than originally anticipated, almost all of which is needed for Building Two. 
This $19 million increase falls into two categories. First, $6 million is due to security enhancements for 
Building Two. With the benefit of lessons learned from Building One, the SEC determined that its 
security-related costs have increased. For example, among other items, the cost of hardening the multi- 
level parking garage has proven much more expensive than originally projected, due to its structural 
design. 

The remainder of the Building Two needs stem from base construction and interior build-out costs. The 
original estimates for these costs in Building Two were made in the spring of 2004. Our recent 
experience and estimates indicate that there will be higher actual costs for construction materials and 
labor than those projected. Additionally, some of the functional requirements for Building Two, such as 
a Voice Over Internet Protocol (VOIP) telecommunications system, an emergency communications 
antenna, and augmented data and telephone cabling have led to higher interior build-out costs. Finally, 
this current cost estimate better anticipates that we will encounter unforeseen site conditions, as we did 
with Building One. 

To cover the majority of these costs, the SEC has the option under the lease to pay a lump-sum to the 
landlord up to a year after completion of the building, in which case the SEC would seek this funding in 
our budget request for fiscal 2007. Alternatively, the lease allows the SEC to amortize up to $12.3 
million into our lease payments. If the costs were amortized, then the SEC would need to accommodate 
roughly $1.5 million more into its annual budgets over the next 1 4 years, starting with fiscal 2006. 
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Northeast Regional Office 

Now 1 would like to discuss the new facility for our New York Office at Three World Financial Center, 
for which we signed the lease in March 2005. This location provides the SEC with the additional space 
needed to accommodate the staffing increases the agency has received over the last several years. The 
new space also was obtained at a more favorable lease rate than the SEC’s prior location. Most 
important, this move enabled the SEC to vacate a substandard office that it had to find quickly in 
response to the destruction of our building on September 1 1"*. 

While the SEC did not yet have a lease for new space in New York when it was formulating its fiscal 
2005 budget, the agency had been developing plans to move to an alternate location. Unfortunately, no 
funds were included to build out this new facility, and instead the agency only requested enough 
resources to cover the costs of returning certain tenant improvement credits received under the prior 
lease in the Woolworth Building. As a result, the SEC currently estimates that it will cost an additional 
$28 million to fully address our New York build-out needs. Of this amount, about $6 million is 
associated with the acquisition of temporary swing space, and the remaining $22 million is attributable 
to the build-out of permanent space. 

The agency does not anticipate facing any significant additional build-out expenses in New York in 
2007 or beyond, as this project will be completed in fiscal 2006, Separately, the SEC currently intends 
to cover a portion of the costs of this build-out through amortizing these costs into our lease payments in 
accordance with a revised lease agreement with the landlord, and to fund the remainder through our 
currently pending reprogramming request. 
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Boston District Office 

Lastly, the SEC is in the process of completing the Boston district office’s relocation to its new address 
at 33 Arch Street. When the SEC first estimated the costs of this space, the staff assumed a build-out 
cost of $90 per square foot. Recently, the SEC determined that this price is not obtainable given the 
rising costs of construction materials, labor, and the agency’s space-related requirements. For these 
reasons, the SEC faces an estimated shortfall of about $1.4 million. While the SEC will not be moving 
to this location until next spring, this cost must be funded in fiscal 2005, As with the New York Office, 
the SEC does not expect to require additional funding for build-out beyond 2006. 

Project Management and Budgetary Controls 

Now let me say a few words about the actions the SEC has taken to rectify the conditions that led to 
these project management and budget planning failures, and ensure that they do not recur. 

During the course of the development of the SEC’s spending plans for fiscal years 2005 and 2006, our 
facilities staff in the Office of Administrative Services (OAS) had been asked multiple times to provide 
accurate and complete cost information on these projects. However, OAS staff provided no new 
information that reflected the agency’s need for additional build-out funds. The SEC’s budget oversight 
staff then learned of the possibility of these budgetary shortfalls and omissions in the course of 
reviewing the SEC’s fiscal 2005 operating budget this spring. The SEC then advised our appropriations 
subcommittee and submitted a reprogramming request that will allow us to shift funds from other areas 
to pay for our 2005 needs, as outlined above. 
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The SEC has removed several staff from these projects and is working to strengthen our budgetarj- 
formulation interna! controls and oversight capabilities. Among other improvements, the SEC recently 
created several new budgeting and project oversight positions in OAS and added budget formulation 
staff in our Office of Financial Management (OEM). The SEC also is planning a new budget 
formulation and activity-based costing systems that will greatly enhance the quality and timeliness of the 
data related to our administrative and operational costs. 

Conclusion 

In conclusion, 1 would like to thank the subcommittee for your interest in these important topics. We 
believe that strengthening our internal controls and financial management practices will have significant 
benefits for the SEC, and will allow us to be more effective in fulfilling our mission to protect investors. 
We look forward to sharing with you the results of these efforts. 

I would be happy to answer any of your questions. 
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Questions for David Walker from Chairman Coburn for the Record (112112005) 

1. In your testimony, you list 13 actions the SEC should take in order to improve controls 
over the financial reporting process. These are 13 substantive actions. In their response 
letter to GAO, SEC stated its plans to “increase their financial reporting staff and 
formalize policies and procedures.” 

A. Is GAO aware of any progress the SEC has made on these recommendations? 

SEC has begun to take some actions to improve its financial reporting process. For 
example, SEC is in the process of hiring additional financial reporting staff and has 
drafted policies and procedures for preparing financial statements. In addition, SEC has 
established a Financial Management Review Committee to provide advice and to 
regularly review the agency’s financial operations and policies. However, as we reported 
on November 1 5, 2005, as of September 30, 2005, SEC still had material weaknesses in 
controls over the financial reporting process, resulting in SEC not being able to prepare 
reliable and timely financial statements without extensive and time-consuming manual 
procedures. See our report Financial Audit: Securities and Exchange Commission 's 
Financial Statements for Fiscal Years 2005 and 2004, GAO-06-239, dated November 15, 
2005, for a more detailed discussion of SEC’s weaknesses in controls over its financial 
statement preparation process. 

B. What types of actions are crucial on the part of the top management of the SEC in 
order to successfully correct the weaknesses in financial reporting? 

In order to correct its financial reporting weaknesses, SEC needs to build a foundation for 
financial reporting and accountability that includes (1 ) providing strong top management 
leadership and support for the financial management function including instituting 
accountability mechanisms to help ensure timely and reliable financial reporting; (2) fully 
staff the financial management team with the right knowledge, skills, and experience; (3) 
fully develop integrated financial reporting systems to produce reliable and supportable 
financial information and minimize manual processes; and (4) develop and implement 
appropriate, cost-effective internal controls over financial reporting that include a well- 
defined documentation process containing an audit trail and verifiable results so that 
someone not connected with the procedures can understand the processes over financial 
reporting. 


2. The SEC Inspector General has cited information systems security as a problem since 
1996, and GAO reported in March of this year that the SEC needs to address weak 
controls over financial and other sensitive data. The Federal Information Security 
Management Act (FISMA) requires each agency to develop, document, and implement an 
agency-wide information security program to provide security for the information and 
systems that support the operations and assets of the agency. Under FISMA, agencies are 
required to use a risk based approach to information security management. 
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A. What progress has the SEC made thus far in developing this program? 

SEC has made some progress in developing an information security program, but 
additional steps are needed to develop a program that effectively addresses its 
information security problems. During fiscal year 2004, we noted that SEC had 
established a central security management function and appointed a senior information 
security officer to manage the program as steps towards strengthening its information 
security program. In our fiscal year 2005 review, we also observed additional progress in 
SEC’s security program development such as an increase in security staffing, the 
certification and accreditation of several major applications, and the implementation of a 
backup data center for service continuity. In September 2005, SEC Office of Inspector 
General’s FISMA report showed other security program improvements including better 
remediation action tracking, completed and tested contingency plans for several major 
applications, and an inventory of SEC systems. However, SEC must continue to make 
progress in its security program in order to address weaknesses in electronic access 
controls, including user accounts and passwords, access rights and permissions, network 
security, or audit and monitoring of security-relevant. The program must also address 
weaknesses in other information security controls, including physical security, 
segregation of computer functions, application change controls, and service continuity. 
Additional efforts are needed for SEC to develop and implement an information security 
program that resolves existing information security problems and continuously manages 
information security risks. 

B. Could you give the Subcommittee an example of the threats this security weakness 
poses? 

A former SEC employee could access its systems and sensitive information for malicious 
purposes because SEC lacks a process to remove network access for separated 
employees. Similarly, SEC’s systems are under threat of unauthorized access and attack 
due to access control weaknesses such as weak passwords, insecure hardware 
configurations, and insufficient guidance and testing program for wireless devices. 
Further, SEC’s systems remain vulnerable to infiltration as a result of SEC’s lack of a 
policy to install and maintain up-to-date security and software patches. Such 
unauthorized access and attack could occur with little likelihood of detection until SEC 
fully implements intrusion detection systems on its networks. Additional opportunities to 
compromise SEC’s information security exist because of other security weaknesses such 
as excessive file and system permissions, incompatible job functions, and inadequately 
protected databases provide. Overall, the security vulnerabilities that have been 
identified at SEC leave sensitive data — including payroll and financial transactions, 
personnel data, regulatory, and other mission critical information — under threat of 
unauthorized disclosure, modification, or loss. 

C. Does this mean an outsider could hack into the SEC’s system? 

Yes. As a result of the existing security weaknesses, unauthorized access to SEC’s 
systems is possible and could occur without immediate notice. In particular, SEC has a 
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number of access control weaknesses that could allow an outsider to gain unauthorized 
access to SEC’s information systems. SEC’s password storage and settings issues, 
excessive permissions and privileges, insecure configuration of network devices and 
other access control weaknesses increase the risk of system compromise whether the 
threats are external or internal. 

3. All of the new initiatives for improved oversight of mutual funds, hedge funds, along 
with numerous other regulatory initiatives initiated under Chairman Donaldson will 
obviously create greater demands for impeccable financial management and accountability 
and careful allocation of resources at the SEC. These initiatives have required new staff 
and additional resources. Accordingly, these new initiatives demand heightened oversight 
and accountability as does the strategic five year plan developed by the SEC to address the 
material weaknesses identified by GAO. The Inspector General’s Office at SEC currently 
has 10 employees, and has stated that they have been provided with the staff resources they 
need over the last 15 years. 

Does GAO have any comments regarding the size of the Inspector General’s Office, and 
whether or not their investigatory role should be increased? 

We don’t have any specific comments regarding whether or not the IG’s investigatory 
role should be increased, although we have had discussions with the IG concerning its 
need to hire additional employees if the IG ever assumes responsibility for auditing the 
SEC’s financial statements. However, at this time, GAO plans to continue to audit SEC’s 
financial statements for the foreseeable future. 


4. Can you please share generally how financing decisions are made across government, 
specifically the decisions made by agencies for construction versus lease-purchase, 
purchase, etc.? 

Our work in the federal government shows that, often, lease financing decisions are made 
based on appropriations, cash flow, and "how we keep score" rather than on the best 
long-term economic value for the government. Dependence on costly leasing was one of 
the reasons we designated federal real property as high risk. 

As a general rule, building ownership options through construction or purchase are the 
least expensive ways to meet agencies’ long-term requirements. Lease-purchases — where 
payments are spread out over time and ownership of the asset is eventually transferred to 
the government — are generally more expensive than purchase or construction but are 
generally less costly than using ordinary operating leases to meet long-term space needs. 
However, over the last decade we have reported that GSA — as the central leasing agent 
for most agencies — relies heavily on operating leases to meet new long-term needs 
because it lacks funds to pursue ownership. 

Operating leases — in which periodic lease payments are made over the specified length 
of the lease — have become an attractive option in part because they generally look 
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cheaper in any given year. Pursuant to the scoring rules adopted as a result of the Budget 
Enforcement Act of 1990, the budget authority to meet the government’s real property 
needs is to be scored — meaning recorded in the budget — in an amount equal to the 
government’s total legal commitment. For example, for lease-purchase arrangements, the 
net present value of the government’s legal obligations over the life of the contract is to 
be scored in the budget in the first year. For construction or purchase, the budget 
authority for the full construction costs or purchase price is to be scored in the first year. 
However, for many of the government’s operating leases, only the budget authority to 
cover the government’s commitment for an annual lease payment is required to be scored 
in the budget. Given this, while operating leases are generally more costly over time, 
compared with other options, they add much less to a single year’s appropriation total 
than these other arrangements, making this choice a more attractive option from an 
annual budget perspective, particularly when funds for ownership are not available. 

While the requirement for “up-front funding” permits disclosure of the full costs to which 
the government is being committed, the budget scorekeeping rules allow costly operating 
leases to “look cheaper” in the short term and have encouraged an over reliance on them 
for satisfying long-term space needs. Decision makers have struggled with this matter 
since the scoring rules were established and the tendency for agencies to choose 
operating leases instead of ownership became apparent. 

For more information, see Federal Real Property: Reliance on Costly Leasing to Meet 
New Space Needs is an Ongoing Problem fGAO-06-136T, October 6. 2005): High Risk 
Series: An Update (GAO-05-207, January 2005); and High Risk Series: Federal Real 
Property. (GAO-03-122, January 2003) 


5. Have the Joint Financial Management Improvement Program Principals met yet to 
discuss whether and under what circumstances federal government agencies should be 
required to have an outside opinion on their system’s internal accounting controls? If 
so, what were the general outcomes of that discussion? 

The Joint Financial Management Improvement Program (JFMIP) Principals met on October 
24'*', 2005 and continue to discuss and follow the issue of internal controls in the federal 
government. There have been many developments over the past year and ongoing 
developments during fiscal year 2006 in the area of internal control management, assessment, 
and reporting in the federal government. The JFMIP Principals will continue to follow these 
developments closely and use the information and experience gained through these initiatives 
to consider the issue of, whether and under what circumstances, auditor opinions on internal 
control should be encouraged or required. 

In December 2004, OMB issued revisions to its Circular A-123, Management 's 
Responsibility for Internal Control. The revised Circular, is effective for fiscal year 2006, 
and provides guidance to Federal managers on improving the accountability and 
effectiveness of Federal programs and operations through establishing, assessing, correcting, 
and reporting on internal control. In addition, Appendix A to the Circular applies to the CFO 
Act Agencies, and requires a management assessment process specifically over the 
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effectiveness of internal control over financial reporting. In July 2005, the Chief Financial 
Officer’s Council issued an implementation guide to specifically address the additional 
requirements of Appendix A to 0MB Circular A-123, Agencies are currently in the process 
of implementing these new requirements during fiscal year 2006. Separately, on September 
27, 2005, The Chief Financial Officers Council and the President’s Council on Integrity and 
Efficiency issued a joint study on the potential costs and benefits of requiring the CFO Act 
agencies to obtain audit opinions on internal control over financial reporting. This study 
recommends that agencies be given the opportunity to implement the revised 0MB Circular 
A-123 and obtain an internal control audit only where particular circumstances warrant. The 
Department of Homeland Security Financial Accountability Act required the study and also 
requires GAO to perform an analysis of the study, which is in process. 
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January 12, 2006 


The Honorable Tom Cobum 
Chairman 

Subcommittee on Federal Financial Management, 

Government Information, and International Security 
United S^tes Senate 
439 Hart Senate Office Building 
Washington, DC 20510 

Dear Chairman Cobum: 

Enclosed, please find written responses to your questions for the record from frie 
Subcommittee on Federal Financial Management, Government Information, and International 
Security’s hearing entitled “Examining Financial Management at the SEC” held July 27, 
2005. 


As you know, my highest operational priority as Chairman is to resolve the material 
weaknesses in the agency’s internal controls that were documented in your hearing and in the 
SEC’s FY 2005 Performance and Accountability Report. Given the agency’s unique role in 
monitoring the internal controls of public companies and regulated entities, it is unacceptable 
for the SEC to have these material weaknesses, and the Commission is committed to 
resolving them fully in F Y 2006. I am also pleased to report that the SEC has taken steps to 
fully fund the completion of its three real estate projects without amortizing any amounts into 
the agency’s future lease payments. By working to fully cover these costs in 2005, through a 
reprogramming, and in 2006, as part of our current operating budget, the Commission will 
save taxpayers an estimated $24 million in unnecessary interest payments over the next 14 
years. 


I hope that the attached responses from SEC Executive Director Jim McConnell are 
helpful to the Subcommittee. As with other issues involving the Commission’s 
responsibilities, we welcome the opportunity to share our views on these matters. If the 
Subcommittee has additional questions or requires additional materials to complete its 
hearing record, please do not hesitate to contact our Director of Legislative Affairs, Jane 
Cobb, at (202) 551-2010. 



Enclosure 


Christopher Cox 
Chairman 
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Questions for Mr. McConnell for the Record (7/27/05): 

1. In May 2005, GAO reported three material internal control weaknesses in the 
areas of recording and reporting disgorgements and penalties; preparing financial 
statements and related disclosures; and information security. These conclusions 
were as of September 30, 2004. Since then, the SEC has begun a number of key 
initiatives to eliminate these material weaknesses and strengthen internal controls. 

A. Please summarize the major ongoing initiatives to deal with these three 
internal control weaknesses. 

B. Please explain the management and governance issues that allowed for these 
weaknesses to occur. 

C. What is your plan to solve internal control problems, and protect interests of 
the US Taxpayers? Please provide a schedule of your plan that includes 
initiatives and their respective expected dates of implementation. 

Answer : 

The SEC’s FY 2005 Performance and Accountability Report (PAR), which was 
completed by November 1 5 in accordance with the Office and Management and Budget’s 
(0MB) required deadline, provides an update on the SEC’s initiatives to resolve the three 
material weaknesses previously identified in last year’s PAR. The SEC expects to have 
remediated fully these three weaknesses by the end of FY 2006. The following excerpts 
from our FY 2005 PAR highlights our progress in these areas over the last year, in 
addition to summarizing our remaining tasks. 

Reporting and recording of disgorgement and penalties 

Description. The SEC has a material weakness related to its collection and management 
of financial information on disgorgement and penalties ordered as a result of SEC 
enforcement actions, as well as one nonconformance related to federal financial 
management system requirements. These issues arise because the agency does not have a 
fully automated system in place to collect accurate data on penalties, disgorgement, and 
other enforcement-related financial transactions. The SEC also needs to finish the 
development of comprehensive policies and implement internal controls for the collection 
of the needed financial data. To compensate for the system limitations, the SEC staff 
performed extensive manual procedures to compile necessary information and update the 
accounting system, which GAO then tested to obtain support for the estimated net 
amounts receivable. However, errors and inconsistent reporting were noted, which 
confirmed the need for improved controls. 

Corrective actions taken. Prior to FY 2005, SEC staff designed and implemented an 
interim system to record and report on data collected and entered on over 12,000 parties 
to SEC enforcement actions. During FY 2005, enforcement and financial staff met 
regularly to reexamine and change certain documentation and data entry procedures and 
to strengthen coordination and communication among offices. The agency undertook a 
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comprehensive review of all case files to determine whether individual amounts recorded 
in the interim system were accurate. Work began on a new system to record financial data 
arising from enforcement actions. This system is designed to be fully integrated with the 
central accounting system. 

Corrective actions planned. During FY 2006, enforcement and financial staff will 
continue to meet regularly to review and strengthen policies and procedures. The new 
subsidiary system will be completed by the end of the fiscal year, and business processes, 
policies and procedures will be redesigned. It is anticipated that consistent application of 
the internal controls and completion of the new system will improve recording and 
reporting capabilities and resolve the material weakness in FY 2006. 

Information security 

Description. Effective information system controls are required to provide assurance that 
financial information is adequately protected from misuse, fraud, improper disclosure, or 
destruction. These controls take the form of technical safeguards, such as firewalls and 
application design, as well as procedural controls, such as access management and 
segregation of duties. The SEC has previously reported a material weakness related to its 
information systems and security controls. These issues stem from the historical lack of a 
comprehensive agency program to manage information security. Specifically, weaknesses 
have been identified in access control management, network security, audit and 
monitoring functions, user awareness, and other areas. Compliance with the 
requirements of 0MB Circular A- 1 30, Management of Federal Information Resources, 
Appendix III, regarding accreditation of applications and the Federal Information 
Security Management Act (FISMA), also requires strengthening. The GAO audit 
confirmed many of the findings reported in prior years through the FMFIA and internal 
audits related to general controls over IT security. While the auditors did not note any 
instances of security breaches that would affect the financial systems or records, they 
concluded that these information security control weaknesses put sensitive data — 
including payroll and financial transactions, personnel data, and other program-related 
information — at increased risk of unauthorized disclosure or modification. In addition, 
the audit found that the SEC lacked a comprehensive monitoring program to identify 
unusual or suspicious activity. However, GAO’s review of existing controls and agency 
remediation plans provided adequate assurance that financial data and systems were 
auditable. 

Corrective actions taken. The SEC established a centralized information security 
program under the Chief Information Officer and Chief Information Security Officer, and 
put in place a comprehensive information security program that addresses all of the issues 
associated with the material weakness. The Commission expects to certify and accredit 
80 percent of major applications by the end of calendar year 2005, including accreditation 
of the general support system. The SEC developed information security control 
documents and all policies, procedures, and guidelines to reflect National Institute of 
Standards and Technology guidelines as mandated by FISMA. The SEC continued to 
promulgate security awareness training internally; and 95 percent of all SEC employees 
and contractors received annual information security and privacy awareness training in 
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FY 2005. Additionally, 83 percent of all system administrators received specialized 
security training. The SEC invested in an identity management system to ensure an 
improved access control system and put new processes in place to mitigate findings by 
GAO concerning separation of duties and access control. 

Corrective actions planned. Both SEC general support systems and financial applications 
will be fully certified and accredited in FY 2006. Corrective actions for specific control 
weaknesses identified in the GAO review are being implemented according to a quarterly 
timeline, and will be completed by June 2006. Meanwhile, the Commission continues to 
enhance its overall information security program by; 

• Clarifying roles and responsibilities for enterprise information security and 
developing a comprehensive privacy program; 

• Developing and implementing security risk assessments for new 
technology insertions and regional offices; 

• Implementing a comprehensive set of information security policies and 
procedures; 

• Providing security awareness and privacy training to employees and 
contractors; and 

• Systematically testing policies and procedures for their appropriateness 
and effectiveness. 

Financial statement preparation process 

Description. The SEC prepared its second complete set of financial statements for FY 
2005. While enhanced procedures have been formulated or better documented and 
applied to accumulate the necessary data to complete the financial statements, many 
changes were implemented late in the fiscal year and therefore have not been fully tested 
and confirmed. The process to prepare the SEC’s financial statements continues to be 
manually intensive, consumes significant staff resources, and does not include complete 
documentation of quality control procedures. Additionally, comprehensive 
documentation of accounting policies and procedures for some major areas remains to be 
finalized. 

Corrective actions taken. The SEC financial reporting staff has been expanded. Staff has 
drafted, expanded, or completed many accounting policies and procedures; some require 
further testing and others may require further refinement. More subsidiary records have 
been reconciled on a monthly basis. 

Corrective actions planned. During FY 2006, the SEC’s financial reporting staff will 
formalize additional policies and procedures and assure their consistent application. 
Monthly reconciliations of subsidiary records will be expanded. New procedures will 
accelerate year-end and quarterly closings. Efforts to solicit advice from staff experts 
within the SEC will continue. The organizational structure for assuring regular review by 
key management of SEC financial reports and operations, policies, and controls will be 
finalized. Senior management will also address the requirements of the OMB Circular A- 
123, Management 's Responsibility for Internal Control. 
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Status of Controls over Budget Planning 

Description. In May 2005, the SEC disclosed that it had identified unbudgeted costs of 
approximately $48.7 million associated with the construction of its new leased facilities 
in Washington, D.C, and improvements in its new leased facilities in New York 
City and Boston, Based on its review, GAO determined that these issues arose because of 
ineffective management controls, inadequate administrative infrastructure, and the nature 
of the facilities projects. SEC has taken actions to address these issues and plans to 
complete its implementation of all GAO recommendations during FY 2006. 

Corrective actions taken. The SEC has taken several actions during the year to strengthen 
controls in this area and resolve this new weakness. The agency has: hired a new official 
with budgeting and construction experience to head the Office of Administrative Services 
(OAS); created several new budgeting and project oversight positions in the OAS; 
improved communications between the Offices of Financial Management and OAS 
regarding budget formulation; approved and begun planning a new automated budget 
system to free-up staff for analysis and detect abnormalities; requested that program areas 
provide more support for their budget estimates; and replaced staff previously involved in 
managing and overseeing the construction and lease improvement projects. The agency 
expects to realize approximately S4 million in cost savings associated with the 
completion of the New York office. 

Corrective actions planned. During FY 2006, the SEC will fully rectify this deficiency. 

In particular, the agency will fully implement GAO’s remaining recommendations 
regarding staff and management accountability for the reasonableness of budget estimates 
and development of reporting and review procedures related to construction and lease 
improvement projects. To address the remaining shortfall, the SEC intends to completely 
pay for the three facilities projects in FY 2006. 
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2. With all of the new initiatives for improved oversight of mutual funds, hedge 
funds, and numerous other regulations initiated under Chairman Donaldson, there 
is obviously an even greater demand for impeccable financial management and 
accountability and careful allocation of resources at the SEC. These initiatives have 
required new staff and additional resources. 

A. How do you plan to manage all of these initiatives, in addition to keeping up 
with enforcement and examination demands given the probability of a 
slimmer budget? 

B. How will the Commission keep up with its increased enforcement and 
examination demands while fulfdling the aggressive flve-year strategic plan 
to reform current weaknesses and management issues? 

Answer: 

The Chairman has expressed his unstinting support for the SEC’s enforcement program 
and examination responsibilities. Since his arrival at the Commission, the Chairman has 
worked diligently to ensure that the agency can operate successfully within its 
constrained FY 2006 funding level. 

As noted above, the SEC expects to resolve fully its three previously identified material 
weaknesses by the end of FY 2006. These efforts are not expected to compromise at all 
the agency’s ability to fulfill its mission or any other agency’s other ongoing initiatives. 

With respect to the SEC’s five-year strategic plan, the agency is slated to complete a 
revised version by next fall. This plan, which will be voted on by the Commission, will 
be used to guide the activities and initiatives of the agency of the next several years. 
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3. The SEC Inspector General has sighted information systems security as a 
problem since 1996, and GAO reported in March of this year that SEC needs to 
address weak controls over financial and sensitive data. The Federal Information 
Security Management Act (FISMA) requires each agency to develop, document, and 
implement an agency-wide information security program to provide security for the 
information and systems that support the operations and assets of the agency. 

Under FISMA, agencies are required to use a risk based approach to information 
security management. 

A. What progress has SEC made thus far in developing this program? 

Answer: 

In the March 2005 GAO report, the auditors acknowledged that we had made initial 
progress in developing an information security program, including hiring a Chief 
Information Security Officer (CISO), instituting a centralized security management 
function under the CISO, and putting in place an action plan to remediate the specific 
weaknesses identified. This plan lays out a comprehensive approach for implementing 
the risk-based security management requirements of FISMA, including the finalization of 
policies and operating procedures, and the implementation of new technologies designed 
to improve monitoring, managing, and restricting access to computer systems. Once 
completed, these new security activities will help SEC control the types of changes that 
are introduced into its IT environment and ensure that the agency effectively identifies, 
assesses, and mitigates sources of information security risk on a continuous basis. 

One of the cornerstones of the FISMA guidelines is a process to “certify and accredit” 
major IT systems based on a detailed analysis of the sensitivity of the information and the 
system’s sources of information security risk. Since the GAO report’s release, and as 
reported to 0MB during the most recent annual reporting period, the SEC has certified 
and accredited 80% of our major applications and general support systems as required by 
FISMA. The SEC’s four remaining systems will be completed by March 2006. The SEC 
also instituted a computer security awareness training program that was completed by 
over 95% of staff and contractors during 2005. 

B. Could you give the Subcommittee an example of the threats this security 
weakness poses? 

Answer: 

Many of the issues identified by GAO relate to insufficient internal controls. Typically, 
the perceived threats posed by these security weaknesses are risks associated from 
internal users accessing and/or modifying sensitive information. A hallmark principle of 
information security best practices is known as “least privilege”; under this principle, a 
user of a system should not have access to any information beyond that needed for his or 
her role. Without consistent enforcement and awareness of security policies, users may 
have access to information for which they may not have a business need, or users may 
not understand the sensitivity of the data as defined by the business owners. An 
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employee with malicious intent could also theoretically abuse his or her access to the 
information. 

On page 15 of their testimony, GAO says, “without proper safeguards for its 
information systems, SEC is at risk from malicious intruders entering inadequately 
protected systems. It is at risk that intruders will use this access to obtain sensitive 
information, commit fraud, disrupt operations, or launch attacks against other 
computer systems and networks.” 

C. Does this mean an outsider could hack SEC’s system? 

Answer: 

The SEC has historically focused its information security efforts on protecting the agency 
from intrusion attempts coming from outside the agency - as a result, we have a “defense 
in depth” posture that provides layers of protection for our IT systems and assets. To 
verify that these layers of defense provide adequate protection and are effectively 
implemented, the SEC contracted with security industry vendors to conduct external 
penetration tests earlier this year. No significant weaknesses were identified as a result of 
these tests. Nevertheless, no IT network or system that is connected to the Internet is 
100% safe from being compromised. However, the SEC believes that our network and 
systems have sufficient operational, technical, and management controls to reduce the 
risk of attack from an outside intruder to a low level. 
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4. Under Chairman Donaldson’s leadership, he instituted “performance 
dashboards,” designed to present regular snapshots of the divisions' and offices' 
progress in meeting budget, staffing, and performance objectives. As stated in your 
testimony before the House Government Reform Subcommittee on Efficiency and 
Financial Management, Committee on Government Reform on April 20, 2004, 
“dashboards are designed to identify emerging problems, promote the discussion of 
solutions, and reinforce each executive’s accountability for staff, performance and 
key initiatives.” 

A. Have the dashboards been successfully implemented at all levels and in all 
offices at the Commission? 

B. If indeed the performance dashboards are still being utilized, how have you 
kept up the momentum with the new Chairman? 

C. What ingredients did the “dashboards” lack that strained accountability 
between each executive and their staffs? In other words, how do you 
reconcile this aggressive initiative with GAO’s reports of weaknesses? 

Answer: 

As you know, the dashboards were instituted by former Chairman Donaldson in FY 
2004. These monthly management reports contain a variety of performance measures 
and other data that gauge the agency’s success in meeting its operational, staffing, and 
budgetary objectives. 

By design, the dashboards were meant to be dynamic, and the SEC has worked to expand 
the range of offices covered by the reports and refine the measures for each area. The 
reports now focus on nine of the SEC’s major divisions and offices: the enforcement 
program, the examination program, the Division of Corporation Finance, the Division of 
Market Regulation, the Division of Investment Management, the Office of the General 
Counsel, the Office of Economic Analysis, the Office of Investor Education and 
Assistance, and the Office of the Executive Director. Although certain smaller offices 
remain to be added, these nine components represent 92% of the SEC’s permanent staff. 

Through these efforts, the dashboards have yielded significant positive results. Not only 
have they improved the operational information available to senior managers and 
enhanced the dialogues among divisions and offices, but the dashboards have directly 
contributed to shorter turnaround times and reduced backlogs, in areas such as no-action 
letter requests, SRO exams, and open investigations. 

Chairman Cox remains committed to these valuable tools and under his leadership, the 
SEC is working to implement further improvements. Since the dashboards’ inception, 
the SEC has added new measures and improved others as the agency has gained 
experience with these reports and as the agency’s needs have evolved. Currently, the 
SEC is undergoing another review of the dashboard measures to ensure they remain 
appropriate and also plans to automate the reports. 
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With respect to the material weaknesses reported by GAO, the dashboard reports were 
never designed to capture such internal control weaknesses. The dashboards were 
conceived to gauge the agency’s progress against a variety of predetermined performance 
measures; they would not reveal whether the internal controls underlying the 
performance data or other management information have weaknesses. That is why it is 
critical that agencies also conduct self-assessments and outside audits of their internal 
controls. However, the dashboards have served as a useful tool for senior managers to 
track the agency’s progress in preparing its first financial statements and addressing 
internal control weaknesses once they have been identified. Separately, the SEC also 
plans to integrate the dashboards with the upcoming Activity-Based 
Costing/Performance-Based Budgeting system, which will help enhance the internal 
controls over budget formulation. 
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5. S52.5 million of the settlement money from the Global Research Analyst 
Settlement was supposed to establish an Investor Education Fund to develop and 
support programs designed to equip investors. While $27.5 million of these monies 
were directed to state securities regulators for investor education, the transfer of 
$52.5 million to the NASD Foundation has raised legal questions. How did the SEC 
go about selecting the NASD Foundation to be the sole recipient of the Global 
Settlement investor education funds? 

A. Did the SEC provide any public notice that it would be considering 
private sector recipients for managing the investor education funds? 

The SEC’s plan to distribute the investor education funds to the NASD Foundation was 
publicly filed and approved after a public hearing, in accordance with Court Orders 
governing the Global Research Analyst Settlement. The $55 million in federal investor 
education funds is the result of the settlement between the SEC, NASD, the New York 
Stock Exchange and defendants. The NASD and NYSE authorized the federal investor 
education funds to be paid into the federal action pending before the Honorable William 
H. Pauley, III, Southern District of New York, subject to a plan to be submitted to the 
Court by the SEC. It was the intention of the parties to the settlement that the SEC and 
the Court have oversight of the funds. In submitting the investor education plan 
providing for the transfer of the funds to the NASD Foundation, the SEC acted in 
conformance with the terms of the settlement and Court Orders. The SEC made its plan 
public in a filing with the Court. Third parties were permitted to comment on the plan, 
including parties who desired to manage the funds. After a public hearing, the Court 
approved the SEC’s plan, and in fact rejected arguments by certain parties that other 
entities would be more suitable recipients for the funds. 

B. Were any other potential recipients contacted? 

No, although consideration was given to other potential recipients. In crafting the new 
investor education plan, the SEC relied on its Office of Investor Education and 
Assistance. The SEC confirmed that the NASD Foundation is an independent investor 
education entity that is nation-wide in scope and not funded by individual financial 
services companies or their trade associations. In addition to the independent nature of 
the NASD Foundation, and its pledge to have a majority of public board members, the 
guidelines, procedures, and focus of the NASD Foundation are compatible with the 
Court’s Orders regarding the use of investor education funds. The SEC has a good 
working relationship with the NASD Foundation. The NASD Foundation’s mission is 
investor education, not the broader goal of financial education. The NASD Foundation 
publicly discloses, via its website, all grants made, the purpose of each grant, and the 
recipient of each grant. Such transparency is very important when disbursing public 
funds. Further, the NASD Foundation’s agreement to work within the terms of the 
Court’s Orders regarding investor education will permit sufficient SEC and Court 
oversight. Given these facts, and the SEC’s determination that other entities were not as 
attractive in terms of complying with the Court’s Orders, no other potential recipients 
were contacted. 
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C. What recourse, if any, will the SEC have if the NASD Foundation does 
not adequately manage these funds? 

The NASD Foundation is subject to detailed terms in a Court Order for the handling of 
the funds. The Court Order directs how the funds are to be distributed, contains 
restrictions on who may receive funds, requires quarterly and annual reports to the SEC 
and the Court, and requires an annual audit by an independent third party. The Court has 
retained Jurisdiction for the purposes of ensuring compliance with the terms of the Order. 
Should the NASD Foundation not adequately manage the funds, or fail to comply with 
the Order, the SEC can seek appropriate relief from the Court. The SEC also has the 
right to submit a new plan for the use of the funds, including distribution to a different 
entity, should such action be necessary. The Court can also take action on its own should 
such action be necessary to enforce the terms of the Order. 

D. Whose money is this? 

See Response to Question A. In sum, the funds are under the jurisdiction of the federal 
court overseeing the settlement, and applicable Orders give the SEC the authority to 
submit plans for the use of the funds. 
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6. Please provide the Subcommittee with a comparison of the difference in the total 
SEC building costs (for the new New York, Boston, and Washington, D.C. offices) if 
they were to have been paid for up front, vs. the option that was chosen. 

Since the July hearing, the SEC has taken steps to fully fund the completion of its three 
real estate projects without amortizing any amounts into the agency’s future lease 
payments. By the SEC’s working to fully cover these costs in 2005, through a 
reprogramming, and in 2006, as part of our current operating budget, the agency will save 
taxpayers an estimated $24 million in unnecessary interest payments over the next 14 
years. 

In addition to extinguishing these build-out costs completely in 2006, the SEC has taken 
steps to reduce the costs of these projects through value engineering their completion. 

We currently estimate that these design changes, which will have no negative effects on 
employee efficiency, will result in approximately $4 million in cost savings associated 
with the completion of our Northeast Regional Office. 
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Question #1 : What sorts of confidential data does the SEC store? Is personal data stored 
as well as confidential business data? 

The SEC manages a wide range of data, both internally generated and received from external 
parties. Confidential data would include information such as: 

• Evidentiary information obtained during the course of enforcement investigations, which 
is mostly stored in electronic format 

• “Bluesheef’ data on trading activity obtained from broker-dealers, usually in support of 
enforcement requirements 

• Information obtained from regulated broker-dealers, mutual funds, and other entities 
during compliance inspections and examinations 

• Other confidential information submitted to the SEC according to agency requirements; 
for example, correspondence with registrants which is covered by a confidential 
treatment request 

• Internal personnel records 

Information sources such as the above items can include personal information such as names, 
addresses, social security numbers, records of personal securities transactions, and other data. 

All such information is retained within Commission information systems that are fully subject to 
Commission information security and privacy policies. 


Question #2; Has the SEC ever inadvertently released confidential data? 

To our knowledge, the SEC has not inadvertently released confidential or personal information 
to the public, with the exception of a few isolated cases where documents not intended for public 
release have been disseminated. For example, the Inspector General issued an audit 
memorandum in March 2004 examining instances where internal memoranda related to no- 
action letters in the Division of Investment Management were inadvertently categorized as 
documents for public release. These incidents would have resulted in the release of non-public 
Commission work product, but not personal information. 

The SEC has also on occasion served as a conduit for the inadvertent release of confidential 
information via the EDGAR system. Filers have on occasion included personal information in 
their filings with the Commission, which the SEC has then automatically disseminated to the 
public. Filers are aware that the documents that they file with SEC through the EDGAR system 
are disseminated to the public immediately upon their arrival and it is their responsibility to 
ensure that the information that they send in their filings is public information. In unusual cases 
where this type of disclosure does happen, the SEC can issue a correction to the filing to expunge 
the personal information, which eliminates the information from the system of record. 
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Question #3: Has the SEC ever had a security breach that resulted in data being lost? 

To our knowledge, the SEC has not had a security breach that resulted in data being lost or 
corrupted. The SEC has over the past year instituted a comprehensive program for monitoring 
suspicious activity and responding to information security-related incidents. For example, the 
agency’s 2005 FISMA report listed four recorded security incidents, all of which were quickly 
contained and mitigated, and none of which involved the release of confidential information or 
loss of data. 


Question #4: How much extra staff time is spent at the SEC due to the agency’s failure to 
integrate its financial systems? 

Since 2003 the SEC has increased its financial management staff by 20% to meet the new 
requirements for preparation and audit of financial statements. The Enforcement Division also 
added staff to meet the reed to better track penalties and disgorgements. These resources 
contributed to the SEC’s success in issuing 2004 and 2005 financial statements with clean 
opinions from the GAO auditors. 

The process of preparing financial statements also has triggered some changes and improvements 
to financial systems which will continue into the future. Currently there are automated linkages 
between some of the larger subsidiary accounts and the SEC’s central accounting systems, but 
there remain other subsidiary systems that require manual intervention to transfer data for 
preparation of financial statements. As new financial systems and subsidiary accounts are 
implemented or existing systems are upgraded, automated interfaces with the central accounting 
system will be put in place. We believe, however, that more automation and integration of 
systems are not likely to significantly reduce the staffing requirements for this activity because of 
the continued need to meet challenging reporting deadlines with high quality financial data. 
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